Privacy And Power: What Your Apps Say About You (Part 2) | NBC Nightly News

Channel: NBC News
Published: 12/10/2019

Description
Although you may be able to limit some data tracking on your web browser, your mobile device does not have the same tools to block third party trackers in mobile apps. Furthermore, there are very few laws in the U.S. that protect citizens from the collection of information through mobile apps. I...



Transcript
[ music ]. If you went back in time 20 years and you asked the nsa, what would they want to have to surveil somebody right? What would the perfect surveillance device be? Well, it would know where somebody is all the time it would track all their phone calls. It would track who their friends are. Their banking and financial information that would have a microphone on them got a camera on them. Tha ...
'S your cell phone [ music ]. When you open an app, there are components from many different parties. Then you may not be aware of sometimes before you even get to interact with the app the app is already collecting information about you. One common thing that we seenow over the past couple years is this: push for: what's called cross device tracking and that's where companies try to correlate your activity on your mobile phone with what you view on your smart tv requests you might make to you know your Amazon, echo in your house what you do on your computer and what websites you visit so that they can make a much more detailed profile of you. All of this happens completely behind the scenes. This is something that all of the apps that you interact with on a daily basis are doing. We found, through our studies with lumen, that seven out of ten apps that we studied had a third-party data collection componentand. This is to say nothing of the first party data collection component, that is within pretty much all apps that have internet access, so i started lumen and i opened this random game that i found on the play store.

It asked me whether i wanted to log in - and i said that i didn't i just tapped it once i haven't - played the game yet i just tapped this screen like once or twice. If i go back to lumen, i already see you know it's using ad colony, there's ad tilt, there's fiber comm google analytics google syndication miniclip, which is the developer of the app there's motor ads. There'S supersonic ads, unity3d vongole, so already there'squite a few services that is contacted by this app just by opening it. I didn't play the game and i guess it wasn't open for more than like 20 seconds, and so, if i go to the leaks tab, i see android id, which is my advertising id. It'S a unique number assigned to my device that can be used to track me across different services. Google specifically prohibits collecting hardware, ids and fingerprints along with your advertising id because you're supposed to be able to reset and randomize your advertising id or android id. But you cannot really reset your device fingerprint. You cannot really reset your hardware ids. So the fact that they're sending all of theseinformation together is kind of a violation. All the stuff that i got was basically from a random game. I picked from the first page of the play store without really interacting with it. It already connects to ten different trackers, and you can't imagine you know if you really dig deep and, like you install a whole bunch of apps, you will probably get more than this.

This is the app census project and the main goal of this project is to figure out how apps access and collect data from users we go through about a thousand apps a day. We'Ve analyzed, i think, over eighty thousand apps over the past two years, once they're in our databasewe actually check every two weeks for updated versions and so we're able to compare okay. This version behaved this way and later on, it behaved this way we've observed apps. You know collecting location data phone numbers, email addresses the most common data type we've found are something called persistent identifiers z' within your phone. There are these alphanumeric strings that are unique to it and, through that they're able to build a profile of your interests and start them for who you might be. There are definitely some big players out there. So, for example, google has their own advertising division, they have subsidiaries like double-click twitter has an advertising arm called moe pub, but we also seesome smaller players as well, some of them they're kind of hard to pin down who they are exactly because all you see is Their ip addresses - and you know we point our web browsers to it and we don't get any information as to who they might actually be. So if you go to a search, app census dot, you can search for all of the apps. It'S a free service that we're providing for consumers, so you can just type in the name of your apps and it'll bring up a page listing. You know all the versions that we've looked at four particular apps: the permissions that they request. So whether the app has tried to accesslocation data or not, you know whether it will ask the for permission, access, location data or various other types of personal information. And then we have a list of all of the third parties that we observed that app communicating with and what data types were sent to those their parts and whether they used encryption.

Something bizarre that we found. We looked at the cvs pharmacy app and we saw that it was sending your location data to like 50 different companies. We found it sending your location data to cloud front group by cloud, facebook and piece that now we don't know if they're actually using it, but still you know, we found that if it's bizarrethat you open up a cvs app, you know you might just be trying To find where the nearest store is now all of a sudden, you know microsoft and web trends, and i have no idea what this is: helium helium iq. com. Now they know where you are, it could be anyone. Your key location reveals a lot of things about you. If they build up your geolocation history over time, they'll be able to infer with pretty good accuracy where you live, and from that like what kind of neighborhood it is. Maybe your income level. Similarly, where you work your probable profession, what your interests are you go to the gym? Do you go to churchso queue? Location is pretty sensitive information in more recent versions of it that appears to have been fixed. I think what the main takeaway from our research is that people use apps, and you know people derive a lot of value from it, but there's this huge ecosystem. Just under the surface, that's invisible to people. There are these companies that no one's really heard of but they're kind of everywhere, they're trying to figure out who you are they're exchanging data with each other and as a user you're, not in a very good position to be able to control.

That and one theme that seems to be recurring in a lot of the research that my grouphas been doing is that consumers have this impression that there are privacy laws that protect the most serious abuses that they are concerned about and that's fundamentally wrong. For the most part, there's no law that says you can't track people using location tracking you that you can't use third-party ad trackers to collect data about you, and we have no regulation today in the u. s. that prevents these companies for doing this. So there's a patchwork of laws and regulations that govern information practices and they are able to operate within within that framework without a lot of regulation that we don't have what we call an omnibus law, something that protects at all: [ music ]. I think thattraditionally when we think about the privacy we think about a human observing, a human you are looking at me, i'm looking at you. We always attach to this human observation power, because if you look at me - and you know something about me - you have power over me that that's very long all of our legal institutions evolved from this understanding of privacy. Someone is watching you, the state is watching you, individuals are watching, you, corporations are watching you, but then over time. What happened with this digital era is that we no longer have a human watching, a human. We have an algorithm watching a data point. I can guarantee you that you will not put ahuman assistant in your bedroom just to help you like. What'S the weather, what's going on play a song for me that would be super creepy.

We do it with smart assistants. We'Ve placed them in the most private parts of our houses, alexa, for example, and all the other devices they they work with a wake up ward. So when you say alexa, it will wake up now. In order to hear you say alexa, it has to listen all the time. What happens with this information? It'S not entirely clear. Sometimes it is recorded and kept. Alexa has already been used as a witness in a murder trial, because information is being recorded and this shift created ahuge mess because we no longer know how to speak about it and we still use the term privacy because, yes, there is power attached to this observation And if you break it down it's nobody, because it is nobody. It'S an algorithm watching me because it's not me it's a data point, and i think this is one of the reason privacy's failing as a policy goal, because if we're going to try to think about all the laws that protect our information, all these laws are based On a basic notion of privacy, self management, what consumers are actually left with is what we call the the notice and consent framework and really that's just you know, fancyterminology for privacy policies. So you get to agree or disagree to a collection of information about you right. You never read that was privacy policies, because if you really want to read them, you'll need about 76 working days. Let'S say that you're willing to give 76 working days to reading those privacy policies. It will be very hard for you to understand those policies, not only because sometimes they're using legalese and people who are not.

Lawyers will not understand them, but also because sometimes the language is very vague. Most privacy policies mentioned third parties, because this information might be shared with third parties, who are those third parties? What are they gon na do with the informationwhen? You share it with third parties. Can they share it with fourth parties and fifth parties and everybody will come to the party it's unclear, but we do click. I agree on this clicking. I agree it has legal volume, it has legal validity, it means that we now entered a contract and why there is work this way, because we live in a democracy, because we believe choices are something that we should protect. It'S a catch-22 because we protect our choices, but then we don't really want to choose. We'Ve, never read those privacy policies and don't really make any choices. We can't say what. Certainly the consumers understand every aspect of a lengthy and complex privacypolicy. It'S the mechanism that we have in place at the moment. The commission has called on congress to enact comprehensive privacy and data security legislation, and it remains to be seen whether or not that will occur. We need to think as a society.

What does it mean that we share this data? What does it mean that this data is being collected? What does it mean that it's being analyzed and used in certain ways? Hey nbc news fans, thanks for checking out our youtube channel subscribe by clicking on that button? Down here and click on any of the videos over here to watch, the latest interviews show highlights and digital exclusives thanks for watching.


Watch Next

Loading...