SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Online Threats to Privacy

Posted on September 28, 2017

There’s more out there threatening your privacy online that just malicious email attachments, cleverly-worded phishing emails, and other scams that try to trick you into forking over valuable information. We’re seeing more breaking news stories about actions and efforts that undermine every user’s right to control their privacy online. Some of the threats to our privacy out there today are not only hard to detect; they can be hard to guard against, too.

Knowing what you’re up against is the first step in any battle. On this week’s edition of The Checklist, we’re looking at all the many ways, big and small, that your privacy is under threat online. What’s out there, and what can you do about it all?

  1. Location services can threaten privacy despite utility
  2. Apps aren’t always honest about the information they use
  3. Beware of VPNs that aren’t what they seem
  4. Social media connects us, but at what cost?
  5. Data breaches only continue to worsen in severity

Location services can threaten privacy despite utility

GPS satellites absolutely changed the way we live, and once we had personal, portable GPS units, it was only a matter of time before those became a part of our phones too. We use our smart devices for a lot more than just looking at maps, though — we can use what we now call “location services” for all kinds of things. Ridesharing apps like Uber and Lyft use it to pinpoint your location for drivers, while weather apps use GPS information to give you a more accurate forecast.

The benefits are clear — but there are risks inherent in letting apps access your location data. Not all developers treat this information with the same level of respect, and it can be a potential privacy risk in several ways. Let’s talk about how that can happen.

One story that garnered some attention in the media recently has to do with the popular iOS weather app developed by the company Accuweather. Now, Accuweather has since disputed the details of what was going on here — but as we’ll see, the fact is that some data about users was being gathered surreptitiously, whether they intended to do so or not. So what happened?

When you tell an app on iOS that you do not want it to access the phone’s GPS, it is supposed to cease all efforts to track you geographically in any way. Apple has strict rules about keeping users informed on how apps will use their data; in this case, no means no. However, code from a third-party data monetization firm inside the Accuweather app continued to collect uniquely identifiable information about users, including exact GPS coordinates. If you disabled location services entirely, turning off GPS tracking, then the app would instead gather info about the way you connected to the web.

In other words, if you were using a public wi-fi hotspot in a Starbucks, the app would be able to see the unique MAC address of the access point you used. It’s a trivial matter to take a MAC address and associated connectivity information to mark a user’s location to within a few meters. The result is a valuable data set that many firms could use for monetization efforts.

That kind of tracking isn’t unusual — many free apps track data about you and sell it on to marketing firms that want to understand user habits. That in itself is a privacy risk, and it’s why you should always take a close look at the privacy policy before you commit to using any app. If you don’t feel comfortable having so much data about your habits shared, it’s better to avoid apps that would collect such info.

Obviously, that’s hard when companies like Accuweather break the rules! In subsequent statements, the company claimed that the data was not in use, that they were unaware the app collected the data, and then issued an update that allegedly corrected the issue. The point is, though, it’s not always easy to tell what the truth is — it took a security researcher digging into the app to discover the issue in the first place.

Uber’s “fingerprinting” of devices to try to prevent fraud is a similar story — ultimately, they used methods that drew the ire of Tim Cook, the CEO of Apple himself. Though not strictly “tracking” in the GPS sense, it’s still a potential privacy risk; we’ll come back to that in a minute.

Overall, it’s worth taking a moment to stop and think about the ways apps track you. Look at the permissions you grant any app you install — do some of them really need to know where you are at all times? Why enable third-party monetization firms who just want to gobble up as much info about individuals as possible in the pursuit of profit? We need to look very carefully at what we put on our phones, or else we risk too much exposure.

Apps aren’t always honest about the information they use

All this talk about location services and their potential for abuse leads us directly into our next topic for today, which is all about apps, their permissions, and when they do more than they let on to users. We know that Apple has a rigorous process in place for getting onto the App Store, but with more than two million apps on the store, policing all of them is a difficult job. The result is that sometimes apps aren’t doing everything above board — and that can include playing fast and loose with your personal information, bending or even breaking the rules Apple has in place.

Do you ever feel like there’s an app for everything these days? Whether it’s ordering pizza or browsing your favorite news site, you’ll often find there’s a push to “download our app!” Sometimes, it’s convenient; other times, it’s annoying. Altogether, though, it creates a situation where users can end up conditioned to install apps without much thought — the assumption is that because it’s in the App Store, it’s safe. That’s not nessecarily true, though, and if we want to protect our privacy online, we need to be careful about how much we open the door for apps to peer into our lives. Let’s look at a few good examples of apps taking advantage of its user information.

The device fingerprinting by Uber we just mentioned is an excellent place to start because the tactics involved were so subtle—the average user probably never knew about it. In reality, it wasn’t a terrible privacy risk, but Uber’s actions broke the rules in place for protecting users anyway. We think there’s something to be said for the principle of the right to avoid tracking, to opt out whenever you want and for whatever reason — when you delete an app, that should be the end of the story: no more interaction with the user. That’s not what Uber did.

Instead, they “fingerprinted” the device based on identifiers unique to the phone, like its serial number; while this didn’t allow Uber to track people after deletion, as some stories implied, it still violates a user’s privacy. That’s why Apple quickly shut them down and demanded they cease and desist. Uber is no stranger to some shady practices, though.

Unroll.me, a web service designed to help users identify and unsubscribe from the mailing lists clogging up their inboxes collects information about your email — and then sells it to third parties. One such third party was Uber, who trolled through the data to understand the reach of its competitor, Lyft. Both parties here are peering too much into user’s lives; the average person in a situation like this simply becomes a statistic up for sale. Such commodification of our personal info will only lead to further problems with our privacy.

Unroll.me was only apologetic about not making it clear to users that they were selling their info — not for doing it in the first place. This attitude—that users should be thankful for free services even if it means selling their information in return, is a major problem we face. It’s growing more common, too.

Consider the vast number of apps out there designed to help you manage your health. From apps for managing to diabetes to apps for coaching you while you run, there’s a ton of functionality out there. Unfortunately, this sensitive data is fair game on the open market, too. HIPAA doesn’t cover health apps, so developers are free to gather up information about your health from the app and sell it to marketers or other interest customers.

This kind of data trading is a significant threat to your privacy, just as much as unscrupulous location tracking. It’s why we need to keep a close watch on where and how we share our information. If an app doesn’t have a privacy policy, well, that’s probably a good sign you shouldn’t use it!

Beware of VPNs that aren’t what they seem

Let’s turn our attention now to how a generally useful tool, the virtual private network, might end up not being so “private” at all. A VPN, simply put, is a service to which users can connect for anonymizing their web browsing. Connection requests to websites don’t appear to come from your IP address at all, but instead from a server somewhere else in the world. By bouncing your connection around between multiple private servers, it’s much easier to keep your traffic private. VPNs come with plenty of benefits, and it’s worth a deeper look into how they work and how to use them — if you want to know more, we’ve done a whole Checklist episode all about VPNs you can check out on our website.

A major factor to using a VPN successfully is trust. You must be able to trust that your VPN provider is respecting your privacy — after all, you’re running traffic through their servers. The result is that sometimes users fall prey to VPN operators that are less than scrupulous in what they do with your data — and there’s always the risk of falling for an altogether fake VPN, too. As privacy threats, these are some of the most dangerous out there, because they claim to want to help you in the first place.

The risks we face from low-quality and shady VPN operators are many. One of the first big ones is the threat we’re always talking about: malware. The good news is that VPN apps on the App Store shouldn’t be exposing users to this issue, though there are other problems we’ll delve into shortly. For Android users, though, this is a big problem, and it’s always good to be aware of what might be a threat to those of us inside the Apple ecosystem.

By one study of apps on Google’s Play Store, more than 33% of the VPNs examined were deploying malware to users. If it wasn’t that, it was serving up malicious advertising on pages visited through the VPN; the result is the same — tracking and harvesting user data for profit. With fake accounts leaving highly-rated reviews and posting up heavily search engine-optimized blogs about the “best” VPNs out there, the bad guys don’t have a difficult time funneling users to their bogus services.

Malvertising targeted at VPN users is a common tactic used by the shady providers to make money, but think about it: these operators also sit on top of an absolute goldmine just waiting to be tapped — and the gold, in this case, is your browsing data. The whole idea is to hide your browsing from others, but a rogue VPN might simply take the data you generate as your requests route through their servers, repackage it, and sell it on to third-party monetizers.

In the wake of the recent US Congressional decisions that gave ISPs more power over user browsing data, several fly-by-night VPNs sprang up to assuage fears of ISP snooping. While claiming to protect users, they were more like fronts for the data collection firms. That’s not even considering the fact that some of these services aren’t VPNs at all — they just provide the illusion of masking your IP address. In reality, they’re not doing anything but using you as a vehicle for profit!

If you plan to use a VPN, either on your mobile device or a computer, proper research is an absolute must. There are trustworthy VPN providers out there, and their services can truly be invaluable. In many other cases, though, you’re putting your privacy at grave risk if you aren’t looking very carefully at what you’re signing up for — especially if you pay for a subscription. Only connect through well-reviewed, well-known, and privacy-committed VPN servers — it’s the best way to know, with as much certainty as you can, that your data will remain private. Otherwise, a VPN can become a bigger risk to your privacy than what you’re using one to avoid.

Social media connects us, but at what cost?

Ask some security experts what they think is the biggest threat to personal privacy in the world, and chances are you’ll hear  “social media” mentioned frequently. Let’s be real, though — “Facebook” is probably the more likely answer, although we can point the finger at social networking in general, too. There’s no denying the incredible connections we’ve been able to make since the rise of sites like Facebook, but it is also hard to avoid the fact that social networking continues to reach deeper into our lives.

There are all kinds of privacy threats that come along with allowing this access — and sometimes it can pose a risk even when you don’t join a site at all! For more on that subject in particular, check out our Checklist episode on social media shadow profiles; it’s an illuminating look at how sites like Facebook build databases on millions of people. That aside, what are the other ways that social media poses privacy risks?

Well, Facebook doesn’t just use its “shadow profiles” to pre-populate a page for you if you ever decide to sign up for an account; they also use this information to power other parts of its service, like “People You May Know.” There was a fascinating — and creepy! — article published on Gizmodo back in August titled “Facebook Figured Out My Family Secrets, And It Won’t Tell Me How.” The long and short of it is that Facebook suggested a profile to a woman as someone she might know, and it turned out that woman was a blood relation she had no prior knowledge of; how could Facebook know that with no other real link between them?

We don’t know. We do know that Facebook has bought information from data brokers in the past, but we know very little about the ways they use the info they gather. This story isn’t an isolated incident, either — a quick Google search will bring up plenty of stories about people connecting over Facebook and discovering previously unknown relations. That alone should be enough to give us pause; there are some real privacy concerns here.

Earlier this year, Facebook even talked about their efforts using AI to create a “map” of the general location of everyone in the world, with nearly 2 billion individuals already accounted for; sure, there are applications there, but it’s still creepy to think about at all. How much should we let sites like Facebook into our lives? You could say the same for major companies such as Google and Amazon, who provide essential services but are also gathering tons of data on all of us. The frustrating part, and what should concern us most privacy-wise, is the fact that we often have little say in what’s collected about us or when.

The way you interact with services like Twitter, Instagram, and Facebook can expose you to privacy risks, too. Think of how many people “check in” to places online or tag their tweets with their location. Should you really give that information away? While the risk of something happening might be small, unscrupulous individuals can use information gleaned from social media to fabricate a scenario perfect for social engineering. Drop enough breadcrumbs, and the bad guys might even be able to figure out a decent idea as to where you live.

Social media brings us together, it’s true — but we need to be very careful about how we use it, and how much we share online through them. We’re placing an awful lot of trust in companies like Facebook that ultimately remain shadowy about how they handle user information. We also need to know they’re taking adequate steps to protect our information. That brings us to our final topic for today.

Data breaches only continue to worsen in severity.

Just recently, we did an episode on five of the biggest breaches of sensitive user data in history — and that brings us to the final type of privacy threat we want to discuss today. Sometimes, negligence and inadequate security on a massive scale combine to threaten our personal information. The unfortunate thing about dealing with third-party data breaches is that there is little we can do regarding prevention; after all, there’s nothing the Average Joe user can do to stop hackers from breaking into an insecure server hosted by a company with whom he does business. Nonetheless, it’s easy to see these incidents as splashy headlines and big news stories, and little else — that is, of course, until your identity ends up stolen because of one of these leaks.

It’s important for all of us to understand the importance of these breaches and the risks they create. It’s not just about the inconvenience of resetting your password on a bunch of sites or the frustration that comes from reading about yet another “major hack.” There is an often genuine lax attitude towards securing user information, and as a result, users of even some of the most common and essential services are at risk — and the consequences can be very real in terms of damage to your credit and more. While we can’t fight back directly, we can take some precautions, and we can be vocal about the need for better practices and rules governing protecting our privacy.

Since our Checklist episode on data breaches, we’ve seen the emergence of an incredible new story that is mind-blowing in terms of its scope. We’re talking about the Equifax hack, of course. We don’t know the details about how the hack was performed or who did it, but what we do know is that the credit reporting agency disclosed that the hackers stole more than 140 million records for American, British, and Canadian consumers. This data included unique information such as Social Security numbers as well as birth dates and even some credit card and driver license numbers.

It’s hard to overstate the severity of this breach and the enormous potential it creates for identity theft. A huge number of American adults will likely end up with information present in the breach. There’s no telling yet what kind of impact we’ll see over the long-term, but we’re already getting some idea about potential malfeasance behind the breach. It appears that some Equifax executives unloaded a hefty amount of their stock in the company after learning about the breach but weeks before reporting it to the public.

It’s no secret that even with data breach notification laws in place, companies are hesitant to let us know they’ve exposed our information. That’s understandable, but it isn’t helpful — and that’s why breaches are one of the biggest threats to your privacy online. Another example: car insurance company AA, over in the UK, recently had databases full of customer information stolen. The company avoided directly informing its clients and danced around the issue for weeks.

Finding more stories just like that isn’t difficult; doesn’t it seem like almost every business tries to avoid the tough business of dealing with their security problems? Combating this is difficult, too. We can be selective about where we share personal information, but if a major business such as Equifax can allow its data to suffer a breach, all we can do is try to take precautions against identity theft. It’s tough to avoid being swept up in breaches when even major corporations who we’re supposed to be able to trust fail at security.

So what else can we do? We can be vocal about the need for stricter reporting requirements on companies and a better framework for dealing with breaches when they do occur. More than that, we all need to let those with whom we do business know that our privacy and security matter. These massive hacks aren’t going away — there are too many high-value targets for the bad guys! Thus, it’s crucial that we advocate actively for our privacy, too.

So that’s about it for today’s episode of The Checklist. Protecting your information online involves more than being mindful of tracking cookies and clearing out your browsing history — it demands a focus on privacy, too. A healthy skepticism about what you encounter on the Web can help keep you from falling into many of the traps out there, though it is true that in situations like major data breaches, sometimes we’re just along for the ride!

It’s easy to fall into a pattern where you feel as if you’re doing enough to protect yourself, but remember that these threats and the dangers they pose change all the time. It wasn’t too long ago that ad services teamed up with ISPs to perform a deep look at user traffic for building profiles — but the public outcry and subsequent lawsuits pushed back. Stay informed, stay engaged, and remember that ultimately it’s up to us to protect our privacy — we can’t always count on good intentions and privacy policies.

 

Sources:

https://www.networkworld.com/article/2360206/mobile-security/how-do-mobile-location-services-threaten-users.html

https://www.theverge.com/2017/6/23/15864552/snapchat-snap-map-privacy-threat

http://www.cnn.com/2011/11/07/opinion/crump-gps/index.html

http://www.huffingtonpost.com/entry/us-eliminating-rules-on-data-privacy-poses-a-serious_us_58db7592e4b0487a198a55a2

http://www.afr.com/technology/why-phone-location-data-is-the-biggest-security-threat-20151008-gk4a16

https://www.vpnunlimitedapp.com/blog/new-online-scam-fake-vpn-providers/

https://blog.avast.com/how-to-spot-fake-vpn-avast-secureline-vpn

https://www.lifewire.com/how-many-apps-in-app-store-2000252

http://gizmodo.com/facebook-figured-out-my-family-secrets-and-it-wont-tel-1797696163

https://www.theatlantic.com/technology/archive/2016/02/facebook-makes-a-new-map-of-everyone-in-the-world/470487/

https://www.dailydot.com/news/we-know-your-house-twitter/

http://www.huffingtonpost.com/sam-cohen/privacy-risk-with-social-_b_13006700.html

https://motherboard.vice.com/en_us/article/ywgdny/the-aa-exposed-emails-credit-card-data-and-didnt-inform-customers

https://www.usatoday.com/story/tech/columnist/2017/04/30/how-find-out-which-apps-sell-your-data/101049520/

Join our mailing list for the latest security news and deals