A prestigious Mexican teacher and researcher recently conducted a curious experiment with her computer science students, which once again showed that digital marketing tools not only store and interpret our behavior, but might be crossing the fine line of privacy, a fact that several cybersecurity experts have been warning about for several years and that is even the reason for mutual accusations between international security agencies.
Are we being monitored from our network-connected devices?
By: Gabriel E. Levy B.
Raquel Torres, PhD in Computer Science, conducted an experiment with her Computer Science students, evaluating the time that elapses since an article or product is mentioned or searched, and the publications of advertising on other platforms, using phone calls, Whatsapp or Telegram messages, voice message as a technological resource and what is particularly frightening: “TALKING LIVE WITH THE CELL PHONE AT THE SIDE, WITHOUT USE” was also used as a technological resource[1].
The experiment showed that after searching for food on Google, it took 7 minutes from the beginning of the process until an Uber Eats ad appeared on Twitter[2].
It was mentioned during a phone call that an Xbox was wanted, and as a result, it took 16 minutes for the advertisement of this product to appear on Facebook[3].
In another phone call, the caller’s desire to learn how to make wooden furniture was mentioned during a conversation, which resulted in an advertisement appearing on Facebook within 40 minutes[4].
A conversation was held through the Telegram platform regarding the intention of buying a printer, which shortly after led to the appearance of an advertisement for this type of product on Facebook[5].
But undoubtedly the most worrying result of the experiment was a personal and face-to-face conversation, that is, the mobile device was not used, which was next to the people who held the conversation all the time. The subject was some kind of Mandalorian doll, which appeared – two days later as an advertisement – on the Facebook wall of the people involved in the conversation[6].
It was not even clearly stated which doll was wanted, only “the Mandalorian doll” was mentioned. 2 days later, the ad appeared on social networks [7].
The results of this interesting experiment allowed the Mexican expert to conclude that “whenever we have a device nearby, someone will be listening”:
No matter what we do, as long as there is a device nearby, we will have someone listening. For now it is all about selling, but what about later? That is why we must know how networks and AI algorithms work since childhood [8].
The Digital Fingerprint
Being connected to the Internet through any type of device necessarily involves generating information flows and footprints. Every search, every chat, every uploaded or played video, every written text, every published photo, every generated sound is an information footprint, which when added and consolidated with those of millions of connected users produces a wide cloud of information known as Big Data.
You may be interested in the article: “Big Data reveals the hidden face of humanity”
Big Data allows the consolidation of generic information about what is happening on the Internet; for example, how many millions of people are searching for news about a football match, a live event, a last-minute event or a cooking recipe. This information is analyzed to show global trends that are useful for companies and media. But, at least in theory, that information cannot be individualized; Big Data regulatory standards prohibit the information collected from being used to identify people individually to learn about their tastes, transactions and communications, a promise that, according to a recent New York Times[9] investigation regarding the recent incidents in the chapter, is easily vulnerable if the necessary resources are available[10].
“They are supposed to be anonymous and smartphone owners can reset them or disable them completely. Our findings show that the promise of anonymity is a sham. [11]”, The New York Times.
On the other hand, there is a record of local footprints that are stored under the popular name of cookies, which serves to record the particular actions of a user when browsing a particular website. Based on this information, social media such as Facebook or platforms such as Google (which includes YouTube) target or customize the advertising that the Internet user receives. That is, if a person looked up sport articles on Google, cookies, stored on the particular device or server, will allow Facebook to target advertisements about sport articles, information that Facebook matches with other data, such as the type of groups the user follows and the posts the user likes. This is also done, at least in theory, without sharing the user’s private information with advertisers.
These two resources are enough to make it clear that the Internet is not an anonymous place where users’ actions are hidden; on the contrary, it is possibly the space where human actions are most traceable and recorded. However, according to most of the laws that have regulated the Internet, all of the above must occur without compromising the privacy of users and respecting the integrity of their information.
Multiple risk factors
Despite legal and regulatory protections, the potential for users’ private information on the network to be compromised encompasses a wide spectrum of risks that may impact everything from the device (e.g. smartphone), the operating system (Android, IOS, Windows), the software and applications used for multiple functions (games, social media, tools, etc.). All these elements may eventually serve to share users’ private information with their central servers. Although this is a crime in almost all countries, it is very complex for the authorities to control this.
The Backdoor Danger
Backdoors are a special code that can be hosted in the firmware (default software used by the hardware), in the operating system or in applications, and have the ability to infringe the combined software and hardware security of any device, bypassing controls without leaving a trace[12].
The American expert Suzanne Spaulding, who worked as an IT security consultant for the US Department of Homeland Security, used the metaphor of a castle to explain the risks of backdoors in an interview with the BBC in the UK:
You build your castle, dig the moat around it and put all your guards to protect it, all of them ready to defend the castle against any adversary, but someone inside the castle built a tunnel and has hidden it. That would be a backdoor [13].
In 2013, Edward Snowden, a CIA security analyst, revealed how the National Security Agency (NSA) had access to the backdoors of multiple types of technologies, including Facebook, Google, Microsoft, and Yahoo, by intercepting communications using a software called Prism.[14].
In the particular case of Huawei, U. S. security agencies have been denouncing that the Chinese government would have access to a “backdoor” of some Huawei and ZTE devices sold worldwide; it would have unlimited access to private and public information of millions of people around the world with this backdoor, something that, according to the evidence provided by Snowden, would be the same as the U. S. government does through companies in their country.[15].
“Hey Siri, why are you listening to me?”
Devices that work under the Android operating system are considered the most insecure ones by computer security experts, which is largely true as it is an open source system. However, iPhone users (which is supposed to be the most secure and reliable technology on the market), by enabling the option of “Hey Siri”, have experienced that, at the mention of this word, the device immediately activates the SIRI application and responds “How can I help you?”, regardless of whether the phone is in use or locked.
This is evidence that the system is in permanent listening mode, and although Apple has argued that the system only responds to that phrase and does not react to any other, and that they do not record conversations, the possibility that conversations can be listened to while the phone is locked is real and not just the imagination of some crazy or paranoid promoters of conspiracy theories, as the work of Professor Torres with her students or the investigative work of The New York Times has shown.
Google is no exception
Last year, hundreds of Google employees marched in response to the signing of an agreement called “Maven” between the technology company and the U. S. Department of Defense, which was intended to improve the accuracy of U. S. military attacks. The agreement raised the suspicion of many skeptics around the world, who doubted the purpose of the project, as it could be a covert agreement to facilitate the work of spying through Google’s available technology.[16].
On the other hand, the Google Assistant, which responds to the command “Hey Google”, just as it happens with “Siri” of the iPhone, has the ability to understand the instruction even when the device is locked, so it is clear that this corporation also has the technology to monitor conversations and voices even in locked mode.
Not only governments and large corporations spy
Although there is a clear risk of users’ privacy being compromised by global military, commercial, geographic and political interests, the main leaks do not come from governments but from hackers who use malicious software to access and steal sensitive information, damage computers, steal banking information and make fraudulent transactions, among many other illegal activities. According to Kaspersky figures, a malware attack occurs worldwide every 12 seconds.
Another possibility, much more disturbing than eavesdropping by the CIA or the Chinese government, is that the information stolen from our devices is used by criminals for extortion purposes, as happens with “Ransomware“, a practice whereby hackers hijack a device, encrypting the information and then demanding ransom for it or even worse, the stolen information may be sold to third parties, especially when it comes to corporate information that is sold to competitors.
Faced with the actions of cybercriminals, we are just as unprotected as we are in a common assault or extortion, so the only thing that can be recommended in this case is obviously not to commit crimes (neither offline nor online), use only reliable software, do not open messages from unknown recipients, use protection software such as antivirus and avoid using electronic media to share sensitive personal information or to require special protection[17].
Palliative to security
As the risks of privacy leaks on the Internet have grown, new control mechanisms have been developed by software and hardware manufacturers to promote security improvements. One option provided by the IOS and Android operating systems is to selectively block functions of the different applications that are installed, including access to the microphone, camera or location, among other sources of sensitive data, so that users can control the information and services that downloaded applications may access.
In the case of iPhone, the latest version of its operating system allows to visualize in the upper part of the screen if the camera or the microphone are being used through an orange and a green led. This way, the user will be able to notice if their communications are being intercepted even when they are not using the device, although it is impossible to guarantee that there are technological mechanisms to avoid these warnings.
Likewise, over time, specialized security applications such as Antivirus, Antispyware, AntiRansom and encrypted VPN, among many others, have emerged to improve security on devices and control the flow of sensitive information. These systems, while far from foolproof, may help improve user confidence and information privacy.
You may be interested in the article: “We are losing the war against cybercrime”
In conclusion, as evidenced by the experiment of a Mexican teacher, or the research work of the New York Times, or as reported by cybersecurity experts, the risks of our privacy being compromised are so high, that the best attitude is taking for granted that someone might be listening to what is said, written and done on the Internet. Thus, it is possible to reach the conclusion that the most appropriate thing is not to say or do anything that might compromise us or get us in trouble on the network, certainly not to perform illegal activities, and if you are an ordinary citizen who has no secrets that may compromise the national security of any country, it is best to relax and continue normal life, because surely neither the government of China or the United States is interested in knowing that you suffer from hemorrhoids, that you expect a child out of wedlock or that you prefer children’s films to adult films, a subject that will certainly continue to interest advertisers, who will not tire of using this information to shape the advertising you will receive in your social media.
This article is the continuation of the previously published analysis: Are we being spied on from our mobiles?
[1] Link to Raquel Torres’ Twitter account regarding the experiment conducted with students
[2] Twitter thread on Google food search.
[3] Link to the reference tweet about XBOX and Facebook advertising
[4] Link to tweet about advertising on Facebook about wood furniture manufacturing.
[5] Tweet referring to printer advertising after a conversation on Telegram
[6] Reference to the thread about the Mandalorian doll on Facebook
[7] Reference to the thread about the Mandalorian doll on Facebook
[8] Link to Professor Torres ‘ concluding Tweet
[9] The New York Times article on the investigation
[10] Andinalink Article: The Great Anonymous Data Farce
[11] The New York Times article on the investigation
[14] Diario.es article about the back doors of multiple devices used by the NSA
[15] Article of El Mundo from Spain on espionage through mobile phoness
[16] BBC article on Google employees’ protest over controversial US defence project