Security Experts:

A Peek at Online and Mobile Privacy

While it’s commonplace to share information online and via social media, we all want our information safe, and we want control over what we share. Unfortunately, control is becoming harder to establish and maintain.

As much as I am a technogeek, I am also security and privacy paranoid. Social media exposes us. Technology itself exposes us. My biggest privacy worries are currently around social media, and the mobile use of private information supported by smartphones.

Facebook

Facebook is still one of the most visited sites on the Internet, with Google ranking ahead of it. I was just reading that the average user spends 6-7 hours per month on Facebook. Given that my number is closer to 15 minutes per month, I know that the amount of time is skewed towards active users. One of my daughters probably spends at least an hour or two per day on Facebook, while my other one says that Facebook is “old news” and uses Twitter and Tumblr more. So, whether or not Facebook will be around for a while, it is currently the “face” of some of the most raging privacy issues.

Online PrivacyFacebook has a respectable amount of security controls that make it very easy to control how much information you share and with whom. As much slack as Facebook got for forcing the Timeline view on users, it is pathetically easy to manage what you share by using groups or “friends.” And you can always check what other people see by using the “View As” option from your timeline page. And, if all else fails, most entries in your timeline have a little “Edit or Remove” option in the upper right corner that will let you Hide or Delete the entry if you so wish. You just have to check your own page.

But beyond your settings, if your school or employer says that they require access to your Facebook account do you have to give up your credentials? The answer is currently unclear. The school or company can include in an agreement (for instance, an enrollment contract or an employment agreement) that they require access to your social media accounts, including Facebook. They can say that while divulging that information is voluntary, it is a condition of employment/enrollment. You can find reports of this happening to a variety of employees, applicants, and students as young as middle school. As much as people seem to object to that, it is currently legal, and if you signed the agreement unknowingly, you may find yourself in a quandary. If an “unauthorized” person is browsing your posts, they can see a variety of other personal information including gender, sexual preference, pregnancy status details, and more. Furthermore, this exposes posts and information from any of the user’s friends who otherwise have private or controlled accounts. Technically, there is some debate whether or not it is legal for the employer or school to even ask you to sign an agreement that could require you to divulge your Facebook credentials, since you already have the pre-existing agreement with Facebook. Outside of the obvious privacy issues, the problem with divulging your Facebook credentials is the Facebook Terms of Service, which, by the way, you agreed to when you set up your Facebook account:

8. You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.

And, if you violate your Facebook Terms of Service, your account can be suspended or cancelled.

Several elected officials have tried to get Congress to pass laws that explicitly said that it was illegal for an employer or school to ask for your social media credentials. Congress has already voted against a bill that would have allowed for “Protecting the passwords of online users,” but asked the Justice Department to investigate instances where employers asked for passwords. In March of 2012, Maryland passed the first state law against an employer asking for any social media password from any employee or applicant. California has one in the works now, along with at least eight other states having some form of discussions on these laws. The Password Protection Act (PPA) of 2012 would also make it illegal for employers to request passwords. PPA may be introduced for a vote soon. SNOPA (Social Networking Online Protection Act) goes a little further as it also protects students, something that the PPA effectively ignores. Employee privacy laws in Canada are strong enough that it may already be illegal for them to ask for Facebook credentials. While they are not there yet, the European Union is also talking about enacting similar laws. At this rate, those password requests are probably going to end sooner rather than later.

Android Phones

I will pick on Android phones because I have one. Personally, I am not a big “widget” guy. I choose select widgets that provide functionality in which I find value, then I check all of the detailed security permissions the widget is requesting. I exercise my security paranoia and pretty much reject every widget and update that is requesting permission to “Read sensitive log data,” or “Your personal information.” And, I actually check permissions when widgets update.

AndroidBut, I still had status bar ads on my phone. How did that get there? I even checked everything I installed – Googled the widgets and read the descriptions. None of them admitted bringing any adware onto my Droid. Adware brings ads, and, personally, I find that as annoying as those constant telemarketing calls, that pretend the Do Not Call list does not exist (yes, I mean you Mr. “annoying card services who calls five times a week – press 1 to talk to a representative now”). If I saw notification of ads and could decide whether or not I was willing to live with them, that would be one thing, but when the widget drags along the hidden adware I get annoyed. Inevitably, I have accidentally clicked on some of those ads, as I was trying to do something else. Who knew you could buy a kayak vacation in Alaska for $599? It does make me wonder if that was really effective use of ad dollars.

Ads on Android are not a new issue. But those ads are money. An adware provider can get 500,000-800,000 supported downloads per day. Software makers and distributors get fees for every installed adware client that is distributed. Adware can push ads to your device, which can lead you to websites that you would not have visited. Of course, the adware companies get fees for every click-through. They get fees for every ad they push. I am finding numbers like a widget maker can get $6-12 for every 1000 pushed ads they deliver with bundled adware. AirPush claimed that there are about 40 million unique handsets that have downloaded an application that included their adware – 40 million.

Depending on your data plan, that push can cost you money. The ad takes up small bandwidth, but if you click through, either accidentally or on purpose, data usage elevates – unlimited plans are no longer unlimited, right? There may be a valid reason for adware – it helps make that widget free – but that only counts if you knew what you were getting. And, that assumes that the adware is just pushing ads, while some adware, and malware disguised like adware, tracks browser history, and potentially pulls other information like phone number, phone details, phone settings and account details. That doesn’t really sound like the type of function I want running on my phone unknowingly.

Go to the Google Play Store and find the Ad Network Detector from Lookout Mobile Security (There are others, but I like this one). Download it, install it, and run it. After 20-30 seconds, the app will itemize all of the widgets on your handheld device that communicate with the adware sources identified by Lookout Mobile Security. Ad Network Detector lists counts of widgets that fall in “bad” categories, like “Display ads in Android notification bar,” and “collect personal information.” You can then select a category to see the adware source it found, and then the actual offending widget. Keep clicking and you can see statistics about the widget, and get the opportunity to clear widget cache, delete widget data, and even uninstall the widget, along with who they talk to. The best part is that it is even easier than it sounds.

You will obviously have to make your own decisions on how sensitive you want to be, but if you see connections with ad vendors like AirPush and Moolah Media you know you have extra payload on your phone. You should be able to review the list of apps that support the adware, and make a conscious decision on whether or not each widget is worth it. In my case, I found the culprit – a QR Code reader that I had recently updated – and oddly enough, no mention of “now supports pushed ads” was made in the update notice. I was able to easily find a replacement QR Code reader and the polluted widget found its way to the trash.

So, my Facebook and Android privacy solutions are not perfect. But a good blend of sanity helps reduce my worries.

Related Reading: A Day in the Life of Privacy

Related Reading: Facebook vs. Privacy - What You Can do to Protect Your Privacy

Related Reading: Got Android? Some Considerations on Permissions and Security

Subscribe to the SecurityWeek Email Briefing
view counter
Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.
view counter