Maybe “smart” devices are too clever: they know all about your Facebook friends, and can spy on you and your family

Posted on Jun 22, 2018 by Glyn Moody
iot and privacy

The Cambridge Analytica scandal revealed the power of psychological profiling and hyper-targeted advertising based on personal data collected and stored by Facebook. As it became aware of these privacy violations, Facebook tightened up the rules governing what data the apps running on its platform could access. However, in a further blow to Facebook’s reputation as a trustworthy guardian of the personal data of billions, the New York Times has revealed that for years, precisely the same kind of deep access has been available to most of the leading hardware manufacturers:

Facebook has reached data-sharing partnerships with at least 60 device makers – including Apple, Amazon, BlackBerry, Microsoft and Samsung – over the last decade, starting before Facebook apps were widely available on smartphones, company officials said. The deals allowed Facebook to expand its reach and let device makers offer customers popular features of the social network, such as messaging, “like” buttons and address books.

As part of the deal to enable companies to offer Facebook functionality on a wide range of devices, a manufacturer’s software could access personal information not just of device owners, but also from all their Facebook friends. Non-public profile information such as friends’ religion, birthday, political affiliation, whether they were online, and their location, were all available, regardless of the account’s privacy settings. Furthermore, the device could also request basic information about most of the friends’ friends. That remained true even after Facebook brought in new access rules that stopped Facebook apps from doing the same, as had happened with Cambridge Analytica.

In a post responding to the news, Facebook insisted this approach was common when it was introduced. On Twitter, Facebook wrote: “At the time there were no app stores and this was standard industry practice”. The company also said that it had already ended 22 of the “partnerships” with hardware manufacturers that gave them this unrestricted access to friends’ personal data, and would be phasing out the approach completely.

However, if Facebook thought this would be enough to still the privacy storm, it was mistaken. A couple of days after the initial revelation, things took a turn for the worse when it was further revealed that Chinese companies had also been granted the same wide-ranging access to personal data:

Facebook has data-sharing partnerships with at least four Chinese electronics companies, including a manufacturing giant that has a close relationship with China’s government, the social media company said on Tuesday.

The agreements, which date to at least 2010, gave private access to some user data to Huawei, a telecommunications equipment company that has been flagged by American intelligence officials as a national security threat, as well as to Lenovo, Oppo and TCL.

Facebook has announced that it will end the Huawei deal almost immediately, and said that the data was stored on consumer devices, not on Huawei’s servers. Huawei, for its part, insists that it has never collected or stored Facebook user data. There’s no evidence to suggest it has, but it’s worth considering what could easily have happened here, because it highlights the very serious risks of not making privacy protection a priority when designing “smart” digital devices or services.

Facebook admits that it provided Chinese companies with privileged access to Facebook accounts. That includes being able to identify all the friends of a user, as well as highly personal information about those people. Facebook insists that sensitive data was only held on the device itself, and again there’s no evidence – yet, at least – that’s not true. But it would clearly be a simple programming exercise to update the system software of a device to allow sensitive Facebook data to be sent back to the manufacturer, and thus, potentially, to the Chinese government, which is well-known to have very close links with the major technology companies in the country.

All the information gathered in this way could be consolidated into a single database. The Cambridge Analytica experience shows how powerful this process can be. In that case, even though only a few hundred thousand people took the “personality test”, the app “thisisyourdigitallife” was able to harvest the personal information of millions of the participants’ friends. Facebook admits up to 87 million of its users could have had their personal data collected indirectly in this way.

It’s true that Chinese device manufacturers may not have had hundreds of thousands of users in the West, so the number of harvested accounts would be correspondingly fewer. However, the scaling factor means many millions might still be affected, especially if the friends of Facebook friends are included. Among those millions, it is quite likely that there are people working in Western intelligence services, government, the military etc. In other words, Facebook’s deal with manufacturers could have allowed highly personal – and thus useful – information to flow back to the Chinese government, where it could have been combined with other sources to create extremely detailed profiles of key individuals in the West.

If that sequence of events seems too fanciful to worry about, it’s worth bearing in mind that the unnoticed and unregulated flow of personal data from devices back to manufacturers, including many based in China, is already happening, and on a massive scale. That fact is confirmed by a new report from the UK consumer organization Which?. It looked at the increasingly popular “smart” devices that are found in many homes these days. “Smart” in this context means considerable built-in computing power, and a connection to the Internet. Here’s one of things Which? found that can lead to:

When we used a smart TV for just 15 minutes, it connected with a staggering 700 distinct addresses on the internet.

The report also discovered serious privacy problems with an ieGeek wireless security camera:

we found a flaw in this wireless security camera’s app (provided by a company called Sricam), which meant that we could access more than 200,000 passwords and device IDs for other ieGeek cameras.

We could then see live video feeds of other users, and talk to those users via the camera’s microphone (which we didn’t do). ieGeek/Sricam fixed this flaw in late March 2018, but we’ve subsequently found and disclosed other critical vulnerabilities with the camera and app.

Both ieGeek and Sricam are based in Shenzhen, China, widely regarded as the hardware equivalent of Silicon Valley. Again, there’s no suggestion that these flaws are being actively exploited by the Chinese intelligence agencies, say, but equally, there’s no reason why that isn’t happening. After all, Edward Snowden revealed the UK’s GCHQ spy agency did exactly this for years.

And it’s not just about those two Shenzhen companies. It’s probably true that most “smart” devices are made in China at the moment; it’s certainly true that many of them have serious security flaws. That’s a big problem for reasons explained by security expert Bruce Schneier last year:

The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.

Although these insecure devices for the home are unlikely to harvest personal information about your Facebook friends, they are very likely to leak intimate details of your life at some point: what you are saying, what you are doing, who you are with, when you leave and return to your house. What they have in common with the news about Facebook’s deals with device manufacturers is that they are both about a loss of control. People were unaware that Facebook friends’ devices had access to information that they thought they had protected by marking it as “private”. Similarly, users of “smart” devices don’t know when the latter are sending back information about their lives, and to whom, or whether they have been hacked through bugs in the code or weak passwords, and are under the control of someone else.

One partial solution, imperfect as it is, is greater transparency from companies – from Internet giants like Facebook, about the deals they sign, and from small startups in Shenzhen about any flaws that are discovered in their code and how they can be fixed. The greater the transparency from companies, the greater the likelihood the public can preserve their privacy.

As more people buy “smart” devices that are connected to the Internet, so the security implications of doing so become more pressing. Protecting your privacy online using a VPN is a necessary move, but only the first step: people now need to start asking what their smartphones, smart speakers, and smart fridges are doing with the their personal data, and that of their friends.

VPN Service