North Carolina State University researchers have found, in a study of 100,000 apps in the Google Play market, half contained ad libraries. Should you care?
Ad libraries pay for your “free” Android app. The app retrieves ads from a remote computer (server) and periodically runs the ad on your phone. Every time the ad runs the app developer gets paid.
The problem is that the advertisers receive the same permissions as the app. So the navigating app, which needs to know your location in order to operate, also allows the advertiser to know where you are. The app the can access call logs and your address book allows the advertiser to also address your call logs and your address book. Should you care?
Yes, you should care. While there may be some issue with the allowing the advertiser the same access as the app, after all it is an access which the advertiser does not need, the bigger issue is the security around the access. Many of the ad libraries have insufficient security when they access your phone. This gives bad guys a back door into your phone to be able to either collect data or introduce malware to collect all of the data that passes through your phone. Of the apps studied, 297 allowed ad libraries themselves to download and run code form remote computers, thus heightening your security risk.
The study is located at: http://www.csc.ncsu.edu/faculty/jiang/pubs/WISEC12_ADRISK.pdf
For a period of two years, Google collected Wi-Fi data from people’s unsecured wireless networks – a practice commonly known as “war driving.” This was all part of Google’s street view program which, apparently, collected more than street level photographs for Google maps. Since wireless network routers are generally sold in an unsecured state, leaving the home owner to set up the security, Google probably accessed and stored a lot of data homes and businesses. Reports from other countries, which were able to gather more information about the practice, note that information included banking information, health information and even evidence of an extra-marital affair.
The FCC began investigating this issue in 2010 and concluded its investigation in April, 2012 with the issuance of a “Notice of Liability of Forfeiture.” In the Notice, the FCC cited Google’s slowness and unresponsiveness in responding to FCC inquiries and fined Google $25,000. Google’s revenue for 2011 was $37.9 billion. In a sense, the FCC has set a low price tag for evasiveness and unresponsiveness.
There was no fine for the war driving. The FCC agreed with Google’s argument that the Wiretap Act expressly exempted the interception of radio communications sent in a manner that is readily accessible to the general public. Since the Wi-Fi messages were unencrypted the messages must have been made available to the general public. That would be the “general public” that knows about and how to use packet sniffing technology. This argument is also contrary to the court’s decision in Goodman v. Harding (http://www.leagle.com/xmlResult.aspx?page=2&xmldoc=199982639FSupp2d787_1748.xml&docbase=CSLWAR2-1986-2006&SizeDisp=7) in which the defendant used a police scanner to listen in and record his next door neighbors cordless phone communications.
On the other hand, the class action lawsuit begun in response to Google’s war-driving is still working its way through the courts. Perhaps Google will receive a stronger rebuke through the civil courts than it received from the FCC.
Like this:
Calyx Institute Seeks to Create Privacy Oriented ISP
Nicholas Merrill is crowd sourcing his fund raising to create to create a privacy oriented ISP, the Calyx Institute. Mr. Merrill achieved some fame in 2010 when he was released from a 6 year gag order related to his role as a founder of an Internet service who refused to turn over client records pursuant to an NSA National Security Letter (see: http://www.wired.com/threatlevel/2010/08/nsl-gag-order-lifted/). In response to this experience, Mr. Merrill now seeks to create a privacy oriented ISP.
The creation of a privacy-oriented ISP is an interesting idea, much like the creation of a privacy oriented social network (see: http://simonkraussprivacyeye.com/2010/09/28/diaspora-an-attempt-at-a-privacy-oriented-social-network/). On its website, https://www.calyxinstitute.org/, the Calyx Institute provides some clues as to how it will provide privacy. First, note the Calyx Institute URL. Even when visiting the home page the Calyx Institute provides a layer of encryption through the use of SSL or TLS certificates. This means that when you are at the Calyx Institute web page it would be difficult for someone to eavesdrop the link between you and the web page.
CNET reports that Calyx will provide its users with encryption keys and limit logging. This will limit the ability for Calyx to respond to law enforcement wiretap orders as, with limited logging, it will have limited information to provide law enforcement. By providing encryption keys to its users, but not keeping copies of the keys itself, Calyx will not have to decrypt any of its subscribers’ sessions pursuant to CALEA, the Communications Assistance for Law Enforcement Act. CALEA mandates that a telecommunications provider decrypt the surveillance target’s communications if the telecommunications provider has the keys.
The Calyx Institute’s approach to privacy appears to be, initially, oriented to protecting its subscribers from government surveillance. It is not clear how the Calyx Institute will shield its subscribers from commercial tracking, such as “Do Not Track.”
The Calyx Institute does state that it will:
- Promoting ‘best practices’ with regard to privacy and freedom of expression within the telecommunications industry
- Conducting research into privacy technology for the Telecommunications and Internet Provider industries
- Providing a ‘test bed’ environment for the development and deployment of secure voice, data and mobile services
- Legal advocacy and defense
With two law firms on its advisory board, it looks like the Calyx Institute is ready to back up its last bullet point. For more on Nicholas Merrill and the Calyx Institute: http://news.cnet.com/8301-31921_3-57412225-281/this-internet-provider-pledges-to-put-your-privacy-first-always/
Over the last few days there is more and more focus on job applicants and student athletes being asked to disclose their Facebook password so the interviewer can look at the applicant’s Facebook account. Some of these Facebook password disclosure requests appear to be for good reason. After all, you wouldn’t want someone with gang affiliations becoming a police officer – would you? Is it okay then if they work with you in your workplace? Isn’t looking at someone’s Facebook pages just like when the FBI or the NSA does background checks on prospective agents, but now it is easy for every employer to do it? Shouldn’t all employers use easy and low cost (free!) means to make sure that they are hiring the right people for their workplace?
The answer is no. Why people may debate the morality and social obligations for employers to be able to review job applicant Facebook pages I think (just my thoughts here, not legal advice – go read my “About Me” page again) employers are opening up a legal can of worms when they go snooping through job applicant’s Facebook postings.
For starters, there are a number of laws prohibiting discrimination based on race, creed, family status, disability, etc. Job interviewers are trained to not even think about asking questions related to one of these “protected classes.” When an interviewer, trained in the art of not asking the wrong questions, looks into the applicant Facebook page and discovers that she is 2 months pregnant does the interview have special training to erase the memory? Put another way, when the pregnant job applicant is declined the job will she be thinking lawsuit? Class action lawsuit?
Then, there are the friends of the job applicant. The people who have been posting away with their security settings set to maximum non-disclosure. Would they have a right of action against the friend who violated their privacy in the hopes to get a job? What about the potential employer?
As the pace of technical change has accelerated we are stumbling our way through the social implications of all of our new found technical abilities. The Facebook password debacle is just one more example of people connecting the wrong dots. Looking into someone’s Facebook page is not like the FBI questioning everyone who ever knew a prospective agent. The FBI’s questions are pointed (or at least they should be) and the people questioned are not divulging information about themselves. Looking at a job applicant’s Facebook pages is more like asking a torrent of poorly thought out interview questions and will lead to a similarly poor result.
For a roundup of some of these stories see Atequ Khaki’s story at the Huffington Post: http://www.huffingtonpost.com/ateqah-khaki/facebook-password_b_1376254.html).
An Innocuous Looking Box that Hacks into your Network
Meet Pwn Plug:
It looks kind of like an air freshener (see the “fressh” sticker?) or a power adapter. It is neither. The Pwn Plug is a computer packed with hacker software that can be accessed remotely and very covertly to hack into a computer or a network of computers. Pwn Plug is manufactured with a legitimate purpose. Security professionals can use Pwn Plug to perform “penetration testing.” Penetration testing is the authorized hacking into a network to identify vulnerabilities. IT departments can use Pwn Plug to service remote enterprise computers and networks.
However, it is easy to envision a hacker coming to a business claiming that they are conducting an energy audit or are there to work on the electrical system, plugging in a Pwn Plug and walking away. I wonder if Pwn Plugs would be considered “criminal instruments” under the laws that cover the ownership and use of burglary tools.
If you are looking for a Pwn Plug on your system, don’t just look for the “fressh” sticker. Pwn Plugs come with a variety of “stealthy decals.”
For more information see: http://pwnieexpress.com/
Nice Infographic Demonstrating the Perils of Internet Privacy
Abine, maker of online privacy tools, has created a nice inforgraphic showing how privacy is lost online and what can be done about it. It is a good chart to look at in light of the White House’s proposed “privacy bill of rights.” The chart is long and may found at: http://abine.com/wordpress/wp-content/uploads/2012/02/abine_infographic.jpg. Before I reproduce it below, I would point out the key feature is the three grey boxes towards the bottom, where three of the harms that can arise from Internet privacy are described. These three harms: unknown parties creating dossiers on you that can affect things such as your aiblity to obtain credit, a narrowing of the Interent to just what others perceive to be your interests and the opportunity for identity theft are a good examples as to why individuals who uses the Internet and companies who collect data should not be cavalier about privacy. The Internet is a large, complex place and having tools guide you to what you find interesting can be helpful. But they can’t be limiting tools or flawed tools. The Fair Information Privacy Practices that form the basis of the “privacy bill of rights” promote the transparency and control needed to assist providers and users of consumer data in limiting the harms described in Abine’s three gray boxes. Here’s the infographic:
Nice Infographic Demonstrating the Perils of Internet Privacy
Abine, maker of online privacy tools, has created a nice inforgraphic showing how privacy is lost online and what can be done about it. It is a good chart to look at in light of the White House’s proposed “privacy bill of rights.” The chart is long and may found at: http://abine.com/wordpress/wp-content/uploads/2012/02/abine_infographic.jpg. Before I reproduce it below, I would point out the key feature is the three grey boxes towards the bottom, where three of the harms that can arise from Internet privacy are described. These three harms: unknown parties creating dossiers on you that can affect things such as your aiblity to obtain credit, a narrowing of the Interent to just what others perceive to be your interests and the opportunity for identity theft are a good examples as to why individuals who uses the Internet and companies who collect data should not be cavalier about privacy. The Internet is a large, complex place and having tools guide you to what you find interesting can be helpful. But they can’t be limiting tools or flawed tools. The Fair Information Privacy Practices that form the basis of the “privacy bill of rights” promote the transparency and control needed to assist providers and users of consumer data in limiting the harms described in Abine’s three gray boxes. Here’s the infographic (it looks like the infographic is too large for WordPress. Please double click on it to see the whole thing. The first click will show it very small. The second click will bring it up full size:
