SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 105: Products and Byproducts

Posted on September 6, 2018

In this week’s discussion, we’re looking at some stories that strike a similar tone to several of our recent episodes. With Google figuring out how to use your spending habits to make money, spyware apps that end up being compromised, and a look at the web’s privacy-friendly search engine, we’ve got plenty to tackle today. Here’s what we’ve got on our list:

  • You’re still the product
  • Your kids are the byproduct
  • A look at how things are going for DuckDuckGo

Have you ever heard the saying, “If you aren’t paying for a product, you are the product”? We often talk about this when a company ends up using data about you to make money, not unlike how MoviePass claimed it would monetize its service by selling user statistics. Well, as it turns out in our first story today, even if you are paying, you might still be the product. What’s the deal?

You’re still the product

Advertising makes the web go ’round — this we know. For the advertisers, it’s not just about making sure that plenty of people see the ads, it’s also about figuring out how effective they are at converting users into consumers looking to making a purchase. To a certain degree, this is a solved problem for web-based businesses whose ads take users straight to a place where they can purchase something. What about tracking the success of ads that might lead to a purchase in the real world? That’s trickier. Up until recently, advertisers have had to work with a variety of different tools of varying effectiveness. Google, as usual, has decided to change all that.

According to a report by Bloomberg, a limited number of Google’s advertising partners have, for about a year now, been able to access an unprecedented tool for linking real-world purchases with online advertising activity. How do they do this? Well, first they started by buying a massive trove of user transaction data from MasterCard. We’ve talked in the past on The Checklist about how credit card companies can anonymize this information and may choose to share it with advertisers and others seeking to develop better marketing. This is the first time we know of, though, where a tech giant has taken steps such as these. Dubbed “Store Sales Measurement,” Bloomberg breaks the feature down into two components.

First, an advertising partner with Google can submit their own customer databases, such as a list of email addresses, to allow for ad purchases timed to coincide with higher periods of offline sales related to the products under advertisement. In the second step, Google combines its transaction history database from MasterCard with this user information. Let’s consider an example.

Perhaps a user wants to add something nice to their kitchen, so they go online and search for a “stainless steel toaster.” Near the top of the Google results, as always, will be some sponsored links — so maybe the user clicks one of those ads because it seems relevant. They browse products for a while, but ultimately close their browser to do something else. Days or weeks later, that same user visits a retail store and uses their MasterCard to purchase a stainless-steel toaster. If the user was signed in to their Google account when they clicked the ad previously, their purchase data goes into a bin with everyone else who did something similar.

Ultimately, advertisers get reports with numbers showing the percentage of shoppers who viewed their ads and then made a related purchase in stores, plus other transaction details that might be related. The data is all anonymized and unlinked from the user’s individual Google account, but it still means Google paid millions for access to info about how you use your credit card — and then used your info to make money of their own. Here’s the other thing that has some people upset: neither MasterCard nor Google disclosed that it was doing this to consumers. Neither does any company seem to think it was important to do so.

There’s really no benefit for consumers in this case. Your data is simply a profit-making tool for Google at this point — after all, how much of a “benefit” is “seeing more relevant ads” these days, anyway? We’ve heard about targeted advertising for well over a decade, and no one (besides advertisers) seem to think it’s a massive perk to see more ads. Think of how many people use ad blockers, too… we want to see fewer or no ads at all! Relevancy doesn’t enter into the picture as often as big companies would like to believe.

A spokeswoman for the Electronic Privacy Information Center quoted in the Bloomberg article points out this is another example of companies shifting the burden to users, rather than being forthright and providing options for users. While you could opt out of this type of tracking (explained below), it would be better if it was opt-in, or if the companies involved were clear to users about the privacy rights they have.

Neither Google nor MasterCard commented for the Bloomberg story, but anonymous sources inside Google say that they raised red flags about the obscure opt-out method. As usual, it seems the almighty dollar won out in those discussions. It isn’t the first time in recent episodes here on The Checklist that we’ve covered Google’s arcane opt-out procedures, either, with location tracking being a persistent issue as well. So, what can you do?

The easiest way to get around this, of course, is to sign out of your Google account everywhere — phone, computer, and so on — but that can be a tricky solution. Google accounts connect to so many things today in a user-friendly way that it is almost impossible to get around the need to be signed in to use one of their products. While it would work, it’s a bit of a “scorched earth” tactic that can leave you feeling more frustrated than secure.

To fully opt out of ad tracking requires a bit of work due to how deeply Google buries the many settings involved. To do so requires using the “Web and App Activity” console, which can be tricky to find. We suggest following the guide posted here if you’re interested in shutting the door on Google’s all-seeing advertising eye once and for all.

Your kids are the byproduct

In last week’s discussion, one of the main themes we hit upon was a story about the ills of tracking and spyware apps used by parents and employers to keep watch over what happens on other devices. In that story, we discussed how a company called Spyfone left a web server wide open, exposing huge amounts of data gathered from the phones under surveillance. This included text messages, selfies, contacts, and even hashed passwords. During our conversation about Spyfone, one thing we mused about concerned the huge potential for abuse — and for use by abusers — that this type of technology creates.

Thanks to an in-depth piece by Motherboard, we know that one such company which marketed directly to jealous individuals recently suffered a long-term hack. In the same vein, we’ll also look at another piece published by Motherboard where another parental spyware app left a child’s photos exposed on the web. If this isn’t enough to convince you that these apps have no place on our devices, well… think again!

The company in question in the first story, TheTruthSpy, is notorious for marketing to individuals who suspect their significant others of hiding something. In February of this year, a hacker reached out anonymously to Motherboard to claim they had infiltrated TheTruthSpy’s servers, with access to information from victims all around the world. It included not only the data from surveilled phones, but information on the people doing the spying, too. According to the hacker, there were nearly 10,000 accounts he could access through a vulnerability exploited in TheTruthSpy’s servers. Motherboard confirmed the validity of these claims with evidence of valid account credentials supplied by the anonymous source.

As usual, the compromised information including everything you’d expect: tests, phone records, pictures, and more. The “good” news, if we can call it that, is that the hacker soon lost access after TheTruthSpy updated its servers. Nonetheless, this is an increasingly common problem. Using a spyware app like this takes dedication, too, as the installation instructions on TheTruthSpy’s website state up front that the “target device” must be jailbroken for the software to work. That said, other services depend on the individual doing the spying to supply the target’s iCloud username and password, which would then allow a third-party service to download the individual’s iCloud backup.

So, for our adult listeners, here are three key takeaways you should keep in mind thanks to this story:

  1. Don’t jailbreak your phone. Just don’t do it! It opens you up to a world of potential trouble and security problems, and there’s simply no good reason to do it these days.
  2. Never share your iCloud login info with anyone. It should go without saying — you shouldn’t share your info with anyone in general — but with the huge amount of sensitive info that can end up stored in your iCloud account, it’s a treasure trove best left hidden. Keep it secret.
  3. Change your iCloud password immediately if you suspect someone may have access. In fact, you might even want to change your iCloud password on a semi-regular basis. It’s better to be safe than sorry, as they say — and keeping your iCloud locked down is worth a little extra effort.

If only that were the end of our spy adventures today — but we’ve got one more story in this category, this time relating again to parents who want to spy on their children’s mobile devices. This one, called Family Orbit, recently suffered a breach of his own. Again, the hacker reached out voluntarily to Motherboard to disclose his or her feat. According to the reporting, Family Orbit left photos collected from childrens’ phones hidden in an easy to find place on the web, protected only by a weak and easily guessed passcode. The result was that hundreds of children’s photos were potentially viewable online to anyone with the savvy to find them.

While TheTruthSpy ignored all requests for comment, Family Orbit actually confirmed the breach and stated they had immediately begun to take steps to correct the issue. Further, they said, they had suspended sales until they could identify and fix any potential leaky points in their systems. While that’s all well and good, one still wonders why this wasn’t done in the first place.

Once again, if you’re concerned about your child and the potential impact having a mobile device can create, we’d like to point you back to Episode 24 of The Checklist: 5 Things to Know About Child-Proofing Your Kid’s iPhone. It’s got a great discussion packed full of ideas you can consider for your own use — and none of them requires a dangerous jailbreak.

A look at how things are going for DuckDuckGo

Okay, let’s transition to some good news. We’ve talked about the privacy-oriented search engine DuckDuckGo here on The Checklist for a few weeks now, and it’s nice to see that they’re getting some love from others out there, too. According to TechCrunch, the company operating DuckDuckGo just recently secured a new round of venture capital funding to the tune of $10 million. Their VC partner stated the investment seemed smart due to the rising concern for personal privacy online and off and the need for tools to secure that privacy. This is actually only the second time DDG has sought VC funding, with their first round coming all the way back in 2011.

Believe it or not, DDG has operated at a profit for nearly half a decade now. They do it like everyone else does:   by selling ads — but most notably, these aren’t ads loaded up with tracking cookies. It’s like the old days of the web when what you saw was what you got with no hidden surprises. In fact, TechCrunch’s report notes that DDG tried to refuse the funding at first, before eventually being persuaded that it would allow them to grow further and expand to bring tracking-free search to more people. Congratulations to DDG!

Here at The Checklist, we’ve been trying out DDG on our own devices for a few weeks, and the results have been interesting. While there is definitely an adjustment period, finding quality results is still just about as easy as it is with Google. If you’ve grown concerned with how often you hear stories about Google’s tracking and privacy problems, we suggest giving it a try — at the very least, the existence of an alternative option that sticks to a no-tracking pledge is quite welcome.

Isn’t it nice to end on good news for once? That’s all we have for you in this week’s discussion, but it doesn’t mean we’re done — we’ll be back again next week to take another tour around the headlines as we see what’s up in the world of security. Missed an episode recently, or aren’t up to speed on some of the things we mentioned in today’s discussion? A trip into our archives will help, where you can revisit 104 other complete episodes. Read the show notes, listen to the audio, or take a deep dive with the helpful links we include to all the stories we cover.

Join our mailing list for the latest security news and deals