Tuesday, June 5, 2018

Tim Cook: data tracking is 'totally out of control' →

Steven Musil for CNET:

Apple CEO Tim Cook believes privacy is a basic fundamental right but warned that tracking of internet users’ data is a bigger problem than most people recognize.

Tracking is “totally out of control,” Cook said during a wide-ranging interview Monday with CNN. “I think most people are not aware of who is tracking them, how much they’re being tracked and the large amounts of detailed data that are out there about them.”

Privacy, Cook said, “is one of these key civil liberties that define what it means to be an American.”

Advertisers aren’t going to stop their nefarious ways, so the case for using Apple products grows even more.

People frequently tell me they are scared of how much data Apple has on them, but they aren’t aware the lengths the company goes to protect it (even from the Apple itself).

Friday, May 4, 2018

Apple: My request for all the data it had on me was eye-opening →

Jefferson Graham for USA Today:

It took eight days for my data to arrive from Apple, from a European office that is handling the privacy requests. After making the request, the iPhone maker first asked for my street address, phone number, the serial number of the iPhone, and other personal information before releasing it. This compares to Google and Facebook’s data dump. They asked no questions, and the results arrived swiftly-Facebook within minutes, and Google within hours.

Apple’s file on me took longer but was lightweight – a testimony, according to the company, of how little it collects and stores on its individual users.

And:

What Apple didn’t share with me is all the questions I’ve asked the Siri personal digital assistant, queries it gathers to make the artificial intelligence smarter.

The company says the data wouldn’t tell an individual user anything, since it’s not associated with him or her. Your Siri requests – “Show me how to get to PF Chang’s,” or “What year was Steve Jobs born?” go back to Apple – but it uses a random identifier to mask your identity. So a Siri search for the closest Chipotle restaurant will only tell Apple that a user requested the data, but not associate it with me.

There are people out there who hate Apple products and services, but damn if their privacy stance isn’t world-leading. There’s absolutely no debating that fact.

Monday, April 30, 2018

Privacy Policy updates are trendy

There’s a silver lining in the aftermath of the Facebook/Cambridge Analytica fiasco: everyone and their mother are updating privacy policies right now. Go ahead, check your inbox; I bet you have quite a few. Maybe it’s a bit marketing fluff, but the optimist in me hopes there is good intention.

Just in the past few weeks, I’ve received emails in regards to privacy policy updates from Twitter, Periscope, Roku, Plex, Airbnb, and Etsy. In fact, the following exchange I had with Matt Birchler from Birchtree in relation to a privacy policy update from BookBub prompted me to write this post.

Privacy is becoming increasingly more of a common thread amongst the general public, and is therefore a trendy thing to support. But that’s how things really get done on the Internet though, isn’t it? Hopefully the trend will help enable real change across Internet services and companies, like the encryption of traffic end-to-end. Hell, even the thought of insecure traffic should be a distant memory in the next few years.

One thing is for sure: companies can no longer cry innocence or näiveté for failing to protect the data of their users. Let’s hold them to it.

Friday, April 20, 2018

Google’s support of RCS without end-to-end encryption is irresponsible

Dieter Bohn from The Verge has an exclusive look at Google’s upcoming ‘Chat’ app and its use of Rich Communication Services (RCS). Together, they are the company’s latest attempt to solve the dumpster fire that is text messaging on Android.

RCS is a protocol backed by wireless carriers, and Google is the latest enabler. Here’s why I think it’s irresponsible.

Chat app and Rich Communication Services

Dieter:

Now, the company is doing something different. Instead of bringing a better app to the table, it’s trying to change the rules of the texting game, on a global scale. Google has been quietly corralling every major cellphone carrier on the planet into adopting technology to replace SMS. It’s going to be called “Chat,” and it’s based on a standard called the “Universal Profile for Rich Communication Services.” SMS is the default that everybody has to fall back to, and so Google’s goal is to make that default texting experience on an Android phone as good as other modern messaging apps.

Maybe the app will have more feature parity with iMessage, and that would be great for Android users. But what good is it when you factor in the following?

  1. The traffic path is no different than SMS. It goes phone > carrier > phone. We all know how much carriers love our data, and how easily it can be accessed or even subpoenaed.
  2. Also like SMS, RCS traffic is not encrypted end-to-end.

The above points are the largest problems with all of this. In a day and age where data breaches and the selling or mishandling of personal data are sadly commonplace, unencrypted traffic is simply irresponsible. Public awareness of security and privacy are more at the forefront and can only increase.

Why not replicate iMessage?

As Dieter talks about, Google also has self-imposed limitations because of Android’s openness. You see, they won’t go all in on a purely in-house messaging service (like iMessage), because every text would have to route through them. In essence, Google isn’t empowered to replicate iMessage because they share the Android ecosystem. Whereas Apple is the Apple ecosystem.

One of the major complaints about Apple is how closed off they are. Apparent here, the benefit is tighter integration within their ecosystem of apps, services, and hardware.

Dieter also thinks Apple will adopt RCS, but I don’t see them backing it for a couple reasons:

  1. Aside from lackluster encryption, it competes too directly with iMessage on a feature level.
  2. iMessage is a huge reason people don’t switch to Android.
  3. The entire protocol would have to be encrypted end-to-end and supported by all other manufacturers and their messaging apps. Sure, Apple supports (unencrypted) SMS right now, but only out of necessity and precedence.

I don’t see Apple replacing SMS or introducing RCS simply for the sake of iMessage-like features without the security.

If anything, this further cements iMessage as the texting king.

Update for clarity: my case is essentially for end-to-end encryption, so I made a couple small edits to make it clearer.

Wednesday, March 28, 2018

Facebook reportedly delays home speaker amid data crisis →

Sarah Frier for Bloomberg:

Facebook Inc. has decided not to unveil new home products at its major developer conference in May, in part because the public is currently so outraged about the social network’s data-privacy practices, according to people familiar with the matter.

The company’s new hardware products, connected speakers with digital-assistant and video-chat capabilities, are undergoing a deeper review to ensure that they make the right trade-offs regarding user data, the people said. While the hardware wasn’t expected to be available until the fall, the company had hoped to preview the devices at the largest annual gathering of Facebook developers, said the people, who asked not to be named discussing internal plans.

Good. I hope any device Facebook puts out now will be seen as extremely toxic.

Repeat after me: when it comes to Facebook (and Google), you are the product. To chart the comfortability of having these smart speakers in my home from most to least, it would go: HomePod > Echo > Google Home. Facebook’s would never even make the cut.

Wednesday, March 21, 2018

WhatsApp founder joins the #deletefacebook movement →

Casey Newton for The Verge:

In 2014, Facebook bought WhatsApp for $16 billion, making its co-founders — Jan Koum and Brian Acton — very wealthy men. Koum continues to lead the company, but Acton quit earlier this year to start his own foundation. And he isn’t done merely with WhatsApp — in a post on Twitter today, Acton told his followers to delete Facebook.

“It is time,” Acton wrote, adding the hashtag #deletefacebook. Acton, who is worth $6.5 billion, did not immediately respond to a request for comment. WhatsApp declined to comment.

What Facebook and Cambridge Analytica have done is purely vile. Facebook’s user count has been in decline, anyway, as millennials flee the service for alternatives. 1 If you ever were in doubt as to Facebook’s privacy policies, look at their track record and let this be the final nail in the coffin. If only there would be a swift demise to both companies. #deletefacebook


  1. Though most are on Instagram, which is also owned by Facebook. 

Sunday, December 17, 2017

Mozilla’s sneaky, misguided ‘Mr. Robot’ promo plugin →

Kate Conger for Gizmodo:

Mozilla sneaked a browser plugin that promotes Mr. Robot into Firefox—and managed to piss off a bunch of its privacy-conscious users in the process.

The extension, called Looking Glass, is intended to promote an augmented reality game to “further your immersion into the Mr. Robot universe,” according to Mozilla. It was automatically added to Firefox users’ browsers this week with no explanation except the cryptic message, “MY REALITY IS JUST DIFFERENT THAN YOURS,” prompting users to worry on Reddit that they’d been hit with spyware.

Mozilla’a defense of the plugin:

Mozilla justified its decision to include the extension because Mr. Robot promotes user privacy. “The Mr. Robot series centers around the theme of online privacy and security,” the company said in an explanation of the mysterious extension. “One of the 10 guiding principles of Mozilla’s mission is that individuals’ security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy.”

What. The. Actual. Fuck?

This is incredibly wrong on so many levels, all for what I can imagine is a nice paycheck. Mozilla’s cited guiding principle completely contradicts the nature in which this plugin was installed. I can’t fathom how they can be so insanely obtuse. Mozilla, typical bastion of privacy, security, and general do-goodedness, has taken a terribly misguided step here. Asking fans of the show to download the plugin would have been the most sensible way to play this, instead of hiding behind the guise of the alternate reality game itself.

How do companies pull crap like this and think they can get away with it? Internet backlash is swift and damning. I was going to say I’d expect this more from Google than Mozilla, but I don’t think even Google would be so reckless as to try something like this.

Due to the blowback, Mozilla has pledged to move the plugin to its rightful place in the extension store (hey, imagine that). Regardless, they should be embarrassed by this nonsense.

Wednesday, November 22, 2017

Google collects Android users’ locations even when location services are disabled →

Keith Collins for Quartz:

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Quartz observed the data collection occur and contacted Google, which confirmed the practice.

Explanation by Google:

“In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery,” the Google spokesperson said in an email. “However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.”

Don’t be evil [and get caught]. ™

On a serious note, when location services are disabled, nothing better be using or logging my whereabouts. Furthermore, who is to say the data they collected was really discarded? Caveat emptor.