SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 126: Little Nests Have Big Ears

Posted on February 21, 2019

Are there devices in your home that can listen to your surroundings? If you use a digital assistant, that’s to be expected — but what if you’re using a home security system? Have Google ads been following you around the web without any indication that you could “opt out” at any time? And is sharing really caring? Sometimes, it might not be such a nice thing.

We’re answering these questions and taking a more in-depth look at all the stories that give rise to them on today’s episode, where we’re checking off the following items on our list:

  • Little Nests Have Big Ears
  • Google Crosses One of Its Own Privacy Lines
  • When Sharing Can be a Bad Thing

We’ll begin this week’s discussion with a dive back into a topic we’ve talked about a few times already this year, but now, with a new and interesting twist.

Little Nests Have Big Ears

You may remember that we recently touched on a story about Nest, the Google-owned smart home security company. In that story, someone “hacked” a family’s Nest using a stolen password and made the family think the United States was under attack. The family blamed Nest, but it was their own poor password management that opened the door to the attacker. Ultimately, we discussed it and rendered our verdict on the event: Nest was ultimately blameless in the whole thing. With today’s story, though, things are a little different. The news comes to us courtesy of Business Insider: Nest devices had a built-in microphone that users didn’t know about at all.

The Business Insider story notes that Google announced earlier in February that its own Google Assistant would now be able to interface through Nest security systems. There was just one issue with the announcement: since when was there a microphone in Nest that could respond to an “OK Google” prompt? Users quickly expressed discomfort and some outrage at the idea that the microphone was never disclosed during their initial purchase.

Google, of course, released a statement all but declaring the outcry to be a mountain and molehill situation. Saying that the microphone was “never intended to be a secret” and was left off technical specifications by mistake, Google further insisted that the hardware was never actually turned on and was only included to provide room for feature growth as the company developed new technologies. One example provided in the company’s statement: allowing Nest systems to detect broken glass and potentially alerting authorities and homeowners to an attempted break-in.

It’s hard to ignore the question this all raises: how does Google, a multi-billion-dollar corporation whose stock in trade is information, realistically forget to include the presence of a microphone on tech specs? We’re not the only ones who are having a hard time believing the line coming from Google PR — some members of Congress would like answers to their questions, too. Business Insider quotes senators Ron Wyden and Mark Warner of Oregon and Virginia, respectively. 

Saying that the news was “totally at odds with consumer expectations,” Warner went on to say that “consumers and policymakers have been kept in the dark for years about data collection and commercialization practices.” Ultimately, he called for hearings before Congress to work to bring other such practices into the light. Senator Wyden added that “every sensor in every electronic device should be clearly identified to consumers before purchase” and that there “must always be a choice” for Americans to decline to add devices to their homes based on the sensors they contain. 

Is that realistic? Well, Apple does it — look at the product page for an iPhone, for example, and you’ll see that not only is every sensor listed, but how it functions is there to see too. In other words, it shouldn’t be difficult to do, although there is a risk that this information would merely become hyper-condensed and jargon-filled, such that people simply ignore the information. Should Congress ever decide to legislate this issue—difficult enough as it is—we hope the law they write mandates clear and simple language. 

There is some good news to this story, though: Google says the microphones are turned off by default, and if you’re worried that somehow yours got turned on at some point, there’s an easy process to turn it back off again. Here’s what to do:

  1. Visit the Settings page in your Nest app. For Nest Guard users, just tap the “Nest Guard” option in your Settings.
  2. Select “Google Assistant.”
  3. Ensure the switch is set to off; or tap it to turn it off.

That’s it — you’re done! And Google promises it’s not listening to you now with its secret microphone.

Google Crosses One of Its Own Privacy Lines

Maybe the headline should more accurately read “crossed” — this next story comes to us from The Next Web, although it was originally a ProPublica piece published back in October of 2016. Even though this is technically “old news,” we think this is something many of our listeners will be surprised to hear about — given how little fanfare Google made back when it happened. So, what’s actually going on with this story?

Here’s the deal: back in 2007, Google bought one of the Internet’s most prominent online advertising firms, called DoubleClick, creating in their merger a titan of web ads. At the time, many people raised concerns about what this meant for user privacy, prompting Sergey Brin, one of the search giant’s co-founders, to declare that privacy would remain their top priority throughout the development of new ad products.

Until 2016, that was true — they kept their own user accounts, with all their personal information, wholly separate from DoubleClick’s database of tracking-cooking compiled web browsing records. Then, in the summer of 2016, Google crossed out the language in its privacy policy guaranteeing the separation between those two databases. Replacing those clauses was a simple statement that user browsing profiles “may be” compared and matched to Google-gathered data.

Every new Google account created since that time has had these ad tracking features enabled by default. At the time, current users received an opt-in request — one that was cleverly designed to ensure you did not fully understand what you were agreeing to, since all it offered was “new features for your Google account.” Mainstream media outlets reporting on the change at the time, such as the New York Times, provided little substance about the new policy and did not fully understand the implications.

So, what’s the big deal? Well, ever since Google made this change, it could create an advertising profile of a user, with their real name, based not only on what ads they see or click on around the web, but also data from your email, your search history, and even your web history. That’s a truly staggering amount of advertising power to have, and Google gained it without ever really attracting much attention to the change. 

With new users being automatically opted-in and many existing users perhaps never knowing they agreed to this, it’s likely there are tons of people who have no idea they’ve given Google this kind of window into their activity. Again, though, some good news: buried though it may be, the opt-out still exists, and you can turn this feature off (says Google) if you wish. Here’s how to do that:

Visit the My Account page on Google, (found here).

Visit the (Activity Controls) page next.

Uncheck the box next to “Include Chrome browsing history and activity from websites and apps that use Google services.” 

For added peace of mind, you can also go through and delete past activity to sanitize your account further. If this sort of thing is of major concern to you, however, you may want to consider making the switch to a more privacy-focused search engine such as DuckDuckGo. While the experience is different than using Google, the company operates with clear guidelines on user data. For us, it’s been a welcome change.

When Sharing Can Be a Bad Thing

When is sharing not caring? We’ve been told since we were kids that sharing is a good thing, and apparently, that lesson stuck — according to CNET, more than 70% of people said they would share their password to a streaming service with a partner. More than 33% of respondents to the survey also said they would abandon their subscription to streaming services if they began to employ AI or machine learning systems to prohibit such sharing.

What’s the problem here? Setting aside the morally gray area of sharing streaming site passwords with your friends and family, there is actually a real security issue at play here. According to the same survey, more than 50% of the survey respondents also said that they re-use their passwords. In other words, it’s likely that many people are not simply sharing passwords for their Netflix account — but also inadvertently sharing their passwords to other sites at the same time. That can expose an enormous amount of your information to risk, especially if you’re reusing passwords for sensitive activities such as banking.

When only you know your password, you are in total control of the risk you face with its use. When you hand it over to someone else, however, now you’ve doubled your risk — and taken control out of your hands. You’re now reliant on the strength of someone else’s security practices, and that someone might not be as cautious as you are. In other words, don’t reuse your passwords, and definitely do not share those passwords with anyone!

Instead of sharing your existing passwords, consider using a password manager instead. Not only will it make keeping track of your information easier, but it allows you to generate strong passwords for your accounts. This way, you can minimize your exposure to a breach — even if you do decide to share that unique login with your friend or partner.

Whether you’re off to explore password managers or you’re headed into your Google account settings to find a way to stop their ads from keeping an eye on your web activity, we hope you’ve found this episode of The Checklist both entertaining and useful. That’s all we have for you on these topics this week.

Join our mailing list for the latest security news and deals