Security Bits Logo no alpha channel

Security Bits — 9 February 2020

Feedback & Followups

Deep Dive 1 — Hardware & Software Caught Spying on Users and Selling Their Data

Since our last instalment a whole bunch of hardware and software vendors has been caught with their fingers in the proverbial user data cookie jar.

The first company to make the news was Ring (now owned by Amazon). The EFF published their research on the Ring app for Android which showed the app sends personally identifiable information (PII) to at least four trackers.

This research only covered Ring’s Android app and did not test their iOS app, so I simply don’t know if Apple’s more strenuous rules were enough to prevent the same behaviour on iOS.

The other hardware vendor to make the news for all the wrong reasons was Wacom — the driver for some of their drawing tablets was caught phoning home with a list of every app opened on machines with the driver installed. The reason this tracking came to light is interesting. A user was installing the driver and was about to just click by the privacy statement when they were struck by the obvious question — ‘Why does a device that is essentially a mouse need a privacy policy?’

After the story broke Wacom clarified that the data being collected is used purely to help them improve the app, is not sold, and does not contain any PII. Wacom also apologised for not being more up-front about this and pointed out that users can opt out at any time.

Based on the data being collected, and the fact that the collection was discovered in the product’s actual privacy statement, I (Bart) don’t think there was any intention to deceive here — I think it was just a simple lack of awareness of the importance of data transparency on the modern world.

Moving over to software, the first big story to break was a joint investigation by Motherboard and PCMag which revealed that AV firm Avast were collecting very detailed browsing data from their AV users (including browser plugin users) and selling it through a subsidiary named Jumpshot. Avast claim there was consent, but it seems it was not informed consent. After the article was published Avast announced it would wind down Jumpshot. It seems unlikely Avast is the only AV vendor doing this. This is a particular concern with any free or under-priced product that has privileged access to your computer — remember to follow the money to make sure stuff is not FreePI!

Finally, While a photo editing app has a lot fewer privileges on your system so it can gather and sell a lot less than an AV can, it turns out even photo editors can get up to some creepy stuff — listener @zkarj highlighted an article from Peta Pixel on the Podfeet Slack which shows that Limuinar 4 sends user data to Facebook among others.


The Clearview AI Controversy

A US startup named Clearview AI has sparked a lot of controversy in recent weeks. The company has built an AI-powered search engine which allows photos to be matched to social media profiles. You give the search engine a photo of a random person, and if they are in the DB you’ll get back all their social media profiles.

Clearview AI are not making this very powerful search tool available to the general public, but are instead selling access to it, including to law enforcement agencies. This has raised privacy concerns and gotten the attention of civil liberties groups.

The database was built up by scraping social media sites, a direct violation of those sites’ terms of service, and hence, of the US Computer Fraud & Abuse Act. Unsurprisingly, the large social media companies are suing Clearview AI.


❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

Excellent Explainers

Interesting Insights

Palate Cleansers


Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a pay-wall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top