WYSK: 01/07/22

This Week: 1. Extrapolation Tracking; 2. Carter's Fear; 3. Kazakhstan Unrest; 4. Children's Privacy

WYSK: 01/07/22

What you should know from the week of 01/07/22:

  • Extrapolation Tracking: How can apps track location?
  • Carter's Fear: Jimmy Carter sees "victory at any cost" politics demolishing democracy;
  • Kazakhstan Unrest: Spiking energy prices and an authoritarian regime spark democratic protests---Kazakh president invites Russian troops in;
  • Children's Privacy: US privacy laws protecting children are insufficiently enforced while children are increasingly targeted by advertisers.

Extrapolation Tracking:

Security Researcher Finds Facebook App Tracking iPhone Movements
New warning as Facebook app is suddenly caught secretly ‘spying’ on millions of iPhone users…

A disappointing article from Zak Doffman in Forbes from October.

Doffman took existing research on the use of accelerometer data in Facebook applications, and then made a large leap to report on conjecture.

Two researchers—Talal Haj Bakry and Tommy Mysk—identified that the Facebook, Instagram, and WhatsApp applications constantly collect accelerometer data. In particular, users cannot turn off this sharing in the Facebook and Instagram apps:

In Facebook and Instagram,” Mysk told me, “it is not clear why the app is reading the accelerometer—I couldn't find a way to disable it.”

Mysk and Haj Bakry later go on to note that it is possible for this accelerometer data to be used to extrapolate on location:

For example, if you are on the bus and a passenger is sharing their precise location with Facebook, Facebook can easily tell that you are in the same location as the passenger. Both vibration patterns are going to be identical, e.g. the bus suddenly stops or takes off.
-From Mysk's Twitter

However Doffman's article buries the fact that Mysk and Haj Bakry merely noted this kind of correlation was possible, and reports too strongly on these research findings.

Facebook is a pretty indefensible company and has a clear history of lying and harming consumers, and so it is easy to assume malicious intent on Facebook/Meta's part when they engage in excessive data collection. But it is not correct to make that assumption. I'm taking the time to note this article in WYSK because too much tech dialog devolves into dogmatic tech-bashing, or blindly ideological pro-tech fervor.

We need to view the rosy promises of tech companies critically and not just accept all of their preaching at face value, but it is similarly important to avoid credulously accepting any accusations.

Carter's Fear:

Former President Jimmy Carter penned an op-ed in the New York Times this week—largely in response to the anniversary of January 6—expressing grave concern in the vitality of our democracy, calling urgently for American unity in our fundamental principles and joint interests:

I now fear that what we have fought so hard to achieve globally — the right to free, fair elections, unhindered by strongman politicians who seek nothing more than to grow their own power — has become dangerously fragile at home.

I agree.

One of the key causes Carter identifies as leading this fragility is a broad interest in political victory at any cost:

[Some politicians] seek to win by any means, and many Americans are being persuaded to think and act likewise, threatening to collapse the foundations of our security and democracy with breathtaking speed.

He provides five key recommended actions to combat this issue:

First, while citizens can disagree on policies, people of all political stripes must agree on fundamental constitutional principles and norms of fairness, civility and respect for the rule of law...

Second, we must push for reforms that ensure the security and accessibility of our elections and ensure public confidence in the accuracy of results. Phony claims of illegal voting and pointless multiple audits only detract from democratic ideals...

Third, we must resist the polarization that is reshaping our identities around politics. We must focus on a few core truths: that we are all human, we are all Americans and we have common hopes for our communities and our country to thrive...

Fourth, violence has no place in our politics, and we must act urgently to pass or strengthen laws to reverse the trends of character assassination, intimidation and the presence of armed militias at events...

Lastly, the spread of disinformation, especially on social media, must be addressed. We must reform these platforms and get in the habit of seeking out accurate information...

Kazakhstan Unrest:

How protests in Kazakhstan could become a geopolitical crisis
Protests that began over gas prices have ushered in unrest and Russian troops.

Jen Kirby wrote in Vox this week about unrest in Kazakhstan, a post-soviet Central Asian state that borders Russia and China.

Peaceful protests began in Zhanaozen, a city in the western corner of Kazakhstan, earlier this week. A rise in fuel prices in this oil-rich city triggered the demonstrations, though it tapped into deeper grievances about the country’s economic and political structure.
But those peaceful protests have since been overtaken by chaotic and confusing scenes of unrest across Kazakhstan...
At the request of President Kassym-Jomart Tokayev, Russia has sent in troops to help tamp down the violence...
Tokayev has said security forces have regained control, though he said Friday that forces should “shoot without warning” to kill.

The BBC expands on some of the political issues, noting that Kazakhstan is not quite a democratic utopia:

Kazakhstan is often described as authoritarian, and most elections are won by the ruling party with nearly 100% of the vote. There is no effective political opposition.

Kirby's Vox article also highlights some of the domestic political interest complicating the responses:

The outrage was against [former president] Nazarbaev, not against [the new president] Tokayev,” said Assel Tutumlu, an assistant professor of international relations at Near East University. “Because Tokayev is not really a decision-maker, since power still belongs to the old president.”

And Reuters covers some of the economic concerns :

The unrest began on Sunday when== the cost of liquefied petroleum gas== (LPG) - which many people in Kazakhstan use to fuel their cars - doubled.
The violence has dealt a blow to Kazakhstan's image as a tightly controlled and stable country, which it has used to attract hundreds of billions of dollars of Western investment in its oil and minerals industries.

Interestingly, The Verge reports that cryptocurrency miners had a critical role in causing the spike in energy prices:

The Financial Times’ research also estimates that over 87,849 “power-intensive” mining rigs have made their way from China to Kazakhstan. The country now sits in the number two spot — just behind the US — as one of the hottest crypto mining spots, according to data from the University of Cambridge.

Children's Privacy:

“Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale
We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps’ compliance with the Children’s Online Privacy Protection Act (COPPA), one of the few stringent privacy laws in the U.S. Based…

An interesting study I read this week (conducted in 2018), addresses mobile app compliance with US privacy laws protecting children younger than 13 from intrusive data collection. I found this app from this article, which is worth reading as well.

The study looked at legal compliance with Children’s Online Privacy Protection Act (COPPA), using an automated tool to simulate user input into applications, and then analyzing what data was collected by the app and where/how it was transmitted (you can read more details in their "methodology" section.

Their methodology appears sound, and their analysis/claims to be conservative/ As they note:

Therefore [based on our methodology], the results produced by our method represent a lower bound of potential COPPA violation.s

Throughout the study the researchers identify significant privacy violations, a web of unenforced "you shouldn't use this on kids" warnings from SDKs, developers, and third-party advertisers, etc:

Based on our automated analysis of 5,855 of the most popular free chil-dren’s apps, we found that a majority are potentially inviolation of COPPA...

Worse, we observed that 19% of children’s apps collect identifiers or other personally identifiable information (PII) via SDKs whose terms of service outright prohibit their use in child-directed apps.

They also observed that in some cases applications would avoid collecting certain prohibited data, but collect other data that could be used to easily extrapolate the prohibited data (a very common behavior in adtech):

To give an example: one observation generated from our analysis was that 37 apps—all developed by BabyBus, a company specializing ingames for young children—did not access the location of the device through the standard Android permissions system.
Yet, we observed them transmitting hardware and network configuration details [including] the names of saved Wi-Fi hotspots and their MAC addresses, as well as the currently connected Wi-Fi access point, which can potentially be used as a surrogate for location.2 This arguably deceptive practice is indeed well known: the United States Federal Trade Commission (FTC) reached a $4M settlement with analytics firm inMobi, for its alleged deceptive collection of location data in a very similar maner [23].

To try this out yourself, you can use wigle to look up wifi access points by name (SSID) or by MAC address (BSSID). By entering a network name in the "SSID" search field on the right side of the map and then clicking "Filter" you can see where that name has been found.

As seen in the FAQs here wigle is a community tool, not a commercial tool, and is largely fed by data from individuals. Private companies have access to datasets that allow them to conduct this same type of location tracking.

As seen in Facebook's "why do we care about tweens" quote from last week's WYSK, this is not just accidental, but advertising companies (Facebook is an advertising company) are actively interested in what they perceive as a valuable and under-monetized population slice.

Interest piqued? Disagree? Reach out to me at TwelveTablesBlog [at] protonmail.com with your thoughts.

Photo by Tamara Gak on Unsplash