Tag Archives: Online

Online apps and social media platforms heavily track your behavior, without your consent

Are you being tracked online? New research says yes — especially on the largest social media platforms out there.

Applications like YouTube and TikTok track your digital movements with more than a dozen first- or third-party tracker software. These are ‘invisible’ stretches of code that allow for the gathering of user behavioral data even when said users opt-out of sharing their personal information. The findings come from an analysis performed by Atlas VPN, a private company offering virtual private network (VPN) services, which help protect user anonymity online.

Although Atlas VPN has a vested interest in these results — as a company that sells products that work directly against tracking software — their report does align well with the hushed suspicions many of us harbor in regards to digital platforms. The findings are also validated by being part of a larger study of 200 iOS apps conducted with Apple’s Record App Activity feature.

Tracked

“Internet users are starting to care more and more about their privacy, which challenges app developers to engage customers using first-party data strategies and tools,” said Vilius Kardelis, Junior PR Manager at Atlas VPN. “Currently, customers cannot see what data is being shared with third-party trackers or how their data will be used, creating a lack of transparency between the brand and the consumer.”

According to the company, YouTube contains 10 first-party trackers and 4 third-party trackers; TikTok, on the other hand, has 1 first-party and 13 third-party trackers. The difference between these two types of trackers is where they beam back the data they collect. First-party trackers send it back to the application’s domain (so, for example, one on YouTube will send it back to Google, which owns the platform), while third-party trackers send it to some other domain. The last kind is particularly concerning for most people, as the ultimate destination of the data is not shown to users, nor how it is going to be processed and used.

Social media applications analyzed in the study averaged around 6 trackers; Facebook, Snapchat, Whatsapp, and Messenger were the most modest offenders, containing a single tracker each.

TikTok recently became the most popular website worldwide, snatching that distinction from Google late last year. As such, the high number of trackers it uses, especially third-party ones, is particularly concerning. The website is also owned by a Chinese company, and all Chinese companies are required by law to provide any data that the Chinese government requires. What exactly TikTok does with all that user data is, obviously, not clear.

Data for the above-mentioned study, of which these results are also part, were obtained using Apple’s Record App Activity feature. This allows users to track which apps on their device connect to networks. Each of the studied apps was downloaded, started up once, and not registered, to determine a beginning set of connections.

Unsurprisingly, in the last few years, businesses selling powerful proxy services or VPN services have boomed. A proxy service (whether it’s an individual proxy or a datacenter proxy) acts as an intermediary between a user and the server while a VPN extends a private network across a public network, enabling the user to send and receive data across shared or public networks as if they were using a private network. This increased demand in proxies and VPNs comes down to better technological infrastructure and capability, but it is undeniably driven by increased demand from the public for internet anonymity and privacy. Findings such as these validate this consumer desire, showcasing the incredible extent to which our behavior is tracked and monetized online without our consent.

Oh, and if you thought social media was the worst offender, think again. These apps, in fact, made the fewest network connections among the 20 categories of apps that the study investigated. Apps by magazines, news, and sports applications made the most with 26, 21, and 18 connections upon download respectively. Most of these were third-party trackers.

There’s no reason to believe that companies will track us any less in the future. Such behavior is a lucrative business and, unless customers and lawmakers don’t push against it, companies are unlikely to give up a golden goose.

Password meters may actually help make your data less secure by offering ‘misleading’ advice

Password meters are meant to help secure your data, but some may be doing the exact opposite. A new paper explains that the “inconsistent and misleading” advice such helpers often give can promote weak passwords.

Image credits Markus Spiske.

The study from the University of Plymouth assessed the effectiveness of 16 password meters that are likely to see heavy and regular use. While it focused heavily on sites dedicated to this purpose, the study also included meter systems embedded in online platforms such as Dropbox and Reddit.

They concluded that there is a wide range of advice that these different platforms offer users, with various levels of quality (some being pretty abysmal).

Qwerty1234

“What this study shows is that some of the available meters will flag an attempted password as being a potential risk whereas others will deem it acceptable,” explains Steve Furnell, a Professor of Information Security and Leader of the University’s Centre for Security, Communications & Network Research, the study’s author.

“Security awareness and education is hard enough, without wasting the opportunity by offering misleading information that leaves users misguided and with a false sense of security.”

Furnell pitted 16 passwords of varying degrees of reliability — 10 of them were selected from rankings of the world’s most commonly-used passwords — against a number of meters. The purpose of such meters is to help users pick effective and secure passwords.

However, some will not even flag ‘123456’, ‘qwerty’ or ‘iloveyou’ — all listed among the worst passwords of 2019 — as being unsafe. Only five of the 10 explicitly weak passwords were consistently flagged as such by the meters. ‘Password1!’ performed surprisingly well — three meters even rated it as secure or very secure. You should probably change it on any platform you’re using it for right now.

Professor Furnell explains that the issue is further exacerbated by the fact that some of the most prominent online platforms out there haven’t improved or expanded on the password guidance they offer to users. Most of the top-ten biggest English-speaking websites are guilty of this, the study found.

And it’s not a victimless oversight. Furnell cites Verizon’s 2017 “Data Breach Investigations Report” with finding that around “81% of hacking-related breaches had ‘leveraged either stolen and/or weak passwords'”.

Not all is lost, however. A browser-generated password used in the study was consistently rated strong, so we can probably trust these automatically-generated passwords.

“Password meters themselves are not a bad idea, but you clearly need to be using or providing the right one,” the paper explains. “It is also worth remembering that, regardless of how the meters handled them, many systems and sites would still accept the weak passwords in practice and without having offered users any advice or feedback on how to make better choices.”

“While all the attention tends to focus on the replacement of passwords, the fact is that we continue to use them with little or no attempt being made to support users in doing so properly. Credible password meters can have a valuable role to play but misleading meters work against the interest of security and can simply give further advantage to attackers.”

The paper “Password meters: inaccurate advice offered inconsistently?” has been published in the journal Computer Fraud & Security.

Privacy Policy Keyboard.

Yesterday, US officials said you had no right to online privacy — we don’t agree so here’s Internet Noise to help you out

In the wake of yesterday’s decision by the House of Representatives to allow internet service providers to sell browsing data, one programmer is determined to make that data as worthless as possible — and he’s willing to share his work.

If you’re anything like me, when the House of Representatives decided yesterday that ISPs can sell your browsing data to basically anyone, you were positively furious. The word bull and something closely resembling the word “ship” rolled around in my head like a marble in a cup. I go to the Internet partly to work, partly to disconnect from the real world. And I like my privacy for both of those things.

Privacy Policy Keyboard.

“You can’t have it.” — bunch of US officials.

Harsh, I still want my privacy. I wanna browse pictures of cats in peace, then share a laugh over them without someone uninvited seeing any line of chat. I want to read NASA’s latest tidbits without the NSA (subtracting an A makes a huge difference) peering over my shoulder.

It’s my experience. It’s my little corner of the immaterial. I don’t want anyone to burst in on it. If I wanted to be under constant surveillance I’d fly to London. But I don’t, so I just Google-Map London and use the tiny yellow guy to see the sights.

*sigh*

That’s not how it works, though, and I know that. ISPs keep track of everything you do because they actually connect you to the disjointed bits and servers to create the seamless Internet we know and love. For the most part, they had to keep this data to themselves, so we had some modicum of privacy. That’s about to change for those of you living in the US, congrats, since that data is now up for grabs by anyone who can pay for it — and make no mistake, people will pay for it, profile you with it, and then try to sell you stuff according to that profile. Because capitalism.

I’m not a fan of that. Somehow it manages to have this 1984-meets-Brave New World vibe and I don’t want any of it, no siree. Paint me a barbarian but I’d rather not get a 10% discount on something I may actually want if it means a server somewhere is crunching my 3 AM alcohol-fueled-research of exotic cuisine on Wikipedia like so many 1’s and 0’s.

Luckily, there’s one brave soul out there who feels the same way I do but also has the skills to do something about it. His name is Dan Schultz, and he has the next-best-thing after Internet invisibility. Dan heard about the vote on Twitter somewhere around 1 AM, turned off Zelda and coded Internet Noise — a tool which will shotgun searches in your browser left and right, all in the name of foggifying your real searches in a deluge of random ‘noise’.

“I cannot function in civil society in 2017 without an internet connection, and I have to go through an ISP to do that,” he says.

Hiding in plain sight

Internet Noise acts like your run of the mill browser extension, but in truth, it’s just a website which will auto-open a bunch of random Google search tabs. The idea is that if you can’t keep an ISP from profiling you, you can at least give them a false image of yourself. It’s a pretty sad thing to need such a tool, and Schultz himself hopes that Noise will help people understand the risk their online privacy is under at this point.

It’s a pretty straightforward program. Schultz simply googled “top 4,000 nouns” and made a gibberish-list with all of them. With a click on “Make some Noise”, Internet Noise draws on the magic powering Google’s “I’m feeling lucky” button to search for those terms or permutations of them, opening five tabs of results. Ten seconds later, you get another five, then five more, and so on. It will keep going until you hit “STOP THE NOISE!”, by which point your browsing history should look like a potpourri of random links. Schultz says the best way to use it is to start the Noise when you call in for the night and stop it the next day.

Soon enough, you’ll start seeing some pretty random stuff popping up in your Facebook feed, for example. Stuff you won’t have the first clue as to what it is, and that that’s proof the Noise is working, muddying your Internet activity profile, causing algorithms to spew out all kinds of false positives.

Privacy keyboard.

Image credits g4ll4is / Flickr.

Still, it’s not a do-all-end-all program. Anyone slightly more competent than your average advertising company could probably pick out your searches from the noise with a decent success rate since they’re obviously random clicks that have little follow-through. With 4,000 terms and 16,000,000 two-word combinations of them to rifle through, it’s also really unlikely to visit a page once and astronomically unlikely to visit it three or more times. It’s a really random fog-maker and its activity doesn’t look human or plausible enough to be truly good at masking your activity. A smart enough algorithm can probably pick Noise apart in a few seconds. But not all algorithms are smart.

It might even get you into some more hardcore surveillance if the program searches add up to something which appears sketchy. Schultz obviously hasn’t been able to pedigree all the terms to see if any could land you in a spot of trouble — think “pipes”, “industrial fertilizers”, and  “do we really need the government” in one night. I’m exaggerating on that last one just to prove a point.

At the end of the day, though, Schiltz says the main point is to raise awareness. However, the project is open source and could evolve into a more complex program. People are already contributing, fixing minor bugs and some are suggesting possible improvements. But until more efficient privacy kits become available, your only real option is to learn as much as you can about what the tools you use can and can’t do and try to dodge the system as well as possible beyond what they offer.

But I do harbor hope. Internauts have never had much political traction, but they’ve never lacked for imagination, resourcefulness, and a brash commitment to stick it to the man when his ethics fall into question. The Noise might be feeble, but its offspring won’t.

If you missed it, here’s a link to Internet Noise:

[button url=”https://slifty.github.io/internet_noise/index.html” postid=”” style=”btn-danger” size=”btn-lg” target=”_self” fullwidth=”false”]Noise-me![/button]