[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
www/proprietary proprietary-surveillance.html
From: |
Therese Godefroy |
Subject: |
www/proprietary proprietary-surveillance.html |
Date: |
Sun, 30 Sep 2018 14:00:48 -0400 (EDT) |
CVSROOT: /webcvs/www
Module name: www
Changes by: Therese Godefroy <th_g> 18/09/30 14:00:48
Modified files:
proprietary : proprietary-surveillance.html
Log message:
Reorganize, add a few missing items and regenerate from recfile.
CVSWeb URLs:
http://web.cvs.savannah.gnu.org/viewcvs/www/proprietary/proprietary-surveillance.html?cvsroot=www&r1=1.197&r2=1.198
Patches:
Index: proprietary-surveillance.html
===================================================================
RCS file: /webcvs/www/www/proprietary/proprietary-surveillance.html,v
retrieving revision 1.197
retrieving revision 1.198
diff -u -b -r1.197 -r1.198
--- proprietary-surveillance.html 12 Sep 2018 03:31:35 -0000 1.197
+++ proprietary-surveillance.html 30 Sep 2018 18:00:47 -0000 1.198
@@ -58,69 +58,60 @@
</div>
<div class="toc">
- <h3 id="TableOfContents">Table of Contents</h3>
- <ul>
+<h3 id="TableOfContents">Table of Contents</h3>
+<ul>
<li><a href="#Introduction">Introduction</a></li>
- <li><a href="#OSSpyware">Spyware in Operating Systems</a>
+ <li><a href="#OSSpyware">Spyware in Laptops and Desktops</a>
<ul>
- <li><a href="#SpywareInWindows">Spyware in Windows</a></li>
- <li><a href="#SpywareInMacOS">Spyware in MacOS</a></li>
- <li><a href="#SpywareInAndroid">Spyware in Android</a></li>
+ <li><a href="#SpywareInWindows">Windows</a></li>
+ <li><a href="#SpywareInMacOS">MacOS</a></li>
+ <li><a href="#SpywareInBIOS">BIOS</a></li>
</ul>
</li>
<li><a href="#SpywareOnMobiles">Spyware on Mobiles</a>
<ul>
- <li><a href="#SpywareIniThings">Spyware in iThings</a></li>
- <li><a href="#SpywareInTelephones">Spyware in Telephones</a></li>
- <li><a href="#SpywareInMobileApps">Spyware in Mobile
Applications</a></li>
- <li><a href="#SpywareInToys">Spyware in Toys</a></li>
- </ul>
- </li>
- <li><a href="#SpywareOnWearables">Spyware on Wearables</a>
- <ul>
- <li><a href="#SpywareOnSmartWatches">Spyware on Smart
Watches</a></li>
+ <li><a href="#SpywareInTelephones">All “Smart”
Phones</a></li>
+ <li><a href="#SpywareIniThings">iThings</a></li>
+ <li><a href="#SpywareInAndroid">Android Telephones</a></li>
+ <li><a href="#SpywareInElectronicReaders">E-Readers</a></li>
</ul>
</li>
- <li><a href="#SpywareAtLowLevel">Spyware at Low Level</a>
+ <li><a href="#SpywareInApplications">Spyware in Applications</a>
<ul>
- <li><a href="#SpywareInBIOS">Spyware in BIOS</a></li>
+ <li><a href="#SpywareInMobileApps">Mobile Apps</a></li>
+ <li><a href="#SpywareInSkype">Skype</a></li>
+ <li><a href="#SpywareInGames">Games</a></li>
</ul>
</li>
- <li><a href="#SpywareAtWork">Spyware at Work</a>
+ <li><a href="#SpywareInEquipment">Spyware in Connected Equipment</a>
<ul>
- <li><a href="#SpywareInSkype">Spyware in Skype</a></li>
- </ul>
- </li>
- <li><a href="#SpywareOnTheRoad">Spyware on the Road</a>
+ <li><a href="#SpywareInTVSets">TV Sets</a></li>
+ <li><a href="#SpywareInCameras">Cameras</a></li>
+ <li><a href="#SpywareInToys">Toys</a></li>
+ <li><a href="#SpywareInDrones">Drones</a></li>
+ <li><a href="#SpywareAtHome">Other Appliances</a></li>
+ <li><a href="#SpywareOnWearables">Wearables</a>
<ul>
- <li><a href="#SpywareInCameras">Spyware in Cameras</a></li>
- <li><a href="#SpywareInElectronicReaders">Spyware in e-Readers</a></li>
- <li><a href="#SpywareInVehicles">Spyware in Vehicles</a></li>
+ <li><a href="#SpywareOnSmartWatches">“Smart”
Watches</a></li>
</ul>
</li>
- <li><a href="#SpywareAtHome">Spyware at Home</a>
- <ul>
- <li><a href="#SpywareInTVSets">Spyware in TV Sets</a></li>
+ <li><a href="#SpywareInVehicles">Vehicles</a></li>
+ <li><a href="#SpywareInVR">Virtual Reality</a></li>
</ul>
</li>
- <li><a href="#SpywareInGames">Spyware in Games</a></li>
- <li><a href="#SpywareInRecreation">Spyware in Recreation</a></li>
<li><a href="#SpywareOnTheWeb">Spyware on the Web</a>
<ul>
- <li><a href="#SpywareInChrome">Spyware in Chrome</a></li>
- <li><a href="#SpywareInFlash">Spyware in JavaScript and Flash</a></li>
+ <li><a href="#SpywareInChrome">Chrome</a></li>
+ <li><a href="#SpywareInJavaScript">JavaScript</a></li>
+ <li><a href="#SpywareInFlash">Flash</a></li>
</ul>
</li>
- <li><a href="#SpywareInDrones">Spyware in Drones</a></li>
- <li><a href="#SpywareEverywhere">Spyware Everywhere</a></li>
- <li><a href="#SpywareInVR">Spyware In VR</a></li>
- </ul>
-</div>
-
+ <li><a href="#SpywareInNetworks">Spyware in Networks</a></li>
+</ul>
</div>
<div style="clear: left;"></div>
-<!-- #Introduction -->
+</div>
<div class="big-section">
<h3 id="Introduction">Introduction</h3>
@@ -141,7 +132,7 @@
keyboard, in the mobile computing industry, in the office, at home, in
transportation systems, and in the classroom.</p>
-<h3 id="AggregateInfoCollection">Aggregate or anonymized data</h3>
+<h4 id="AggregateInfoCollection">Aggregate or anonymized data</h4>
<p>Many companies, in their privacy policy, have a clause that claims
they share aggregate, non-personally identifiable information with
@@ -163,1344 +154,1567 @@
they will <em>do</em> with the data they collect. The wrong is that
they collect it at all.</p>
-<h3 id="LatestAdditions">Latest additions</h3>
+<h4 id="LatestAdditions">Latest additions</h4>
<p>Latest additions are found on top under each category.</p>
-<!-- #OSSpyware -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
+
<div class="big-section">
- <h3 id="OSSpyware">Spyware in Operating Systems</h3>
+ <h3 id="OSSpyware">Spyware in Laptops and Desktops</h3>
<span class="anchor-reference-id">(<a
href="#OSSpyware">#OSSpyware</a>)</span>
</div>
<div style="clear: left;"></div>
-
<div class="big-subsection">
- <h4 id="SpywareInWindows">Spyware in Windows</h4>
+ <h4 id="SpywareInWindows">Windows</h4>
<span class="anchor-reference-id">(<a
href="#SpywareInWindows">#SpywareInWindows</a>)</span>
</div>
-<ul>
- <li><p>Windows 10 telemetry program sends information to Microsoft about the
- user's computer and their use of the computer.</p>
+<ul class="blurbs">
+ <li id="M201712110">
+ <p>HP's proprietary operating system <a
+ href="http://www.bbc.com/news/technology-42309371">includes a
+ proprietary keyboard driver with a key logger in it</a>.</p>
+ </li>
- <p>Furthermore, for users who installed the fourth stable build of
- Windows 10, called the “Creators Update,” Windows maximized
the
- surveillance<a
href="https://arstechnica.com/gadgets/2017/10/dutch-privacy-regulator-says-that-windows-10-breaks-the-law">
+ <li id="M201710134">
+ <p>Windows 10 telemetry program sends information to Microsoft about
+ the user's computer and their use of the computer.</p>
+
+ <p>Furthermore, for users who installed the
+ fourth stable build of Windows 10, called the
+ “Creators Update,” Windows maximized the surveillance <a
+
href="https://arstechnica.com/gadgets/2017/10/dutch-privacy-regulator-says-that-windows-10-breaks-the-law">
by force setting the telemetry mode to “Full”</a>.</p>
-<p>The <a
-href="https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization#full-level">
+ <p>The <a
+
href="https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization#full-level">
“Full” telemetry mode</a> allows Microsoft Windows
- engineers to access, among other things, registry keys
- <a href="https://technet.microsoft.com/en-us/library/cc939702.aspx">which
+ engineers to access, among other things, registry keys <a
+ href="https://technet.microsoft.com/en-us/library/cc939702.aspx">which
can contain sensitive information like administrator's login
- password</a>.</p></li>
+ password</a>.</p>
+ </li>
+
+ <li id="M201702020">
+ <p>DRM-restricted files can be used to <a
+
href="https://yro.slashdot.org/story/17/02/02/231229/windows-drm-protected-files-used-to-decloak-tor-browser-users">
+ identify people browsing through Tor</a>. The vulnerability exists
+ only if you use Windows.</p>
+ </li>
- <li><p>Windows DRM
- files <a
href="https://yro.slashdot.org/story/17/02/02/231229/windows-drm-protected-files-used-to-decloak-tor-browser-users">can
- be used to identify people browsing through Tor</a>. The
- vulnerability exists only if you use Windows.
- </p></li>
-
- <li><p>By default, Windows 10 <a
href="http://betanews.com/2016/11/24/microsoft-shares-windows-10-telemetry-data-with-third-parties">sends
- debugging information to Microsoft, including core dumps</a>. Microsoft
now distributes them to another company.</p></li>
-
-<li>In order to increase Windows 10's install base, Microsoft
-<a
-href="https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive">
-blatantly disregards user choice and privacy</a>.
-</li>
-
- <li><p><a
href="https://duo.com/blog/bring-your-own-dilemma-oem-laptops-and-windows-10-security">
- Windows 10 comes with 13 screens of snooping options</a>, all enabled by
default,
- and turning them off would be daunting to most users.</p></li>
+ <li id="M201611240">
+ <p>By default, Windows 10 <a
+
href="http://betanews.com/2016/11/24/microsoft-shares-windows-10-telemetry-data-with-third-parties">sends
+ debugging information to Microsoft, including core dumps</a>. Microsoft
+ now distributes them to another company.</p>
+ </li>
+
+ <li id="M201608171">
+ <p>In order to increase Windows 10's install base, Microsoft <a
+
href="https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive">
+ blatantly disregards user choice and privacy</a>.</p>
+ </li>
- <li><p><a
href="https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/">
- Microsoft has already backdoored its disk encryption</a>.</p></li>
+ <li id="M201603170">
+ <p><a
+
href="https://duo.com/blog/bring-your-own-dilemma-oem-laptops-and-windows-10-security">
+ Windows 10 comes with 13 screens of snooping options</a>, all enabled
+ by default, and turning them off would be daunting to most users.</p>
+ </li>
- <li>It appears
- <a
href="http://www.ghacks.net/2016/01/05/microsoft-may-be-collecting-more-data-than-initially-thought/">
+ <li id="M201601050">
+ <p>It appears <a
+
href="http://www.ghacks.net/2016/01/05/microsoft-may-be-collecting-more-data-than-initially-thought/">
Windows 10 sends data to Microsoft about what applications are
- running</a>.</li>
- <li><p>A downgrade to Windows 10 deleted surveillance-detection
+ running</a>.</p>
+ </li>
+
+ <li id="M201512280">
+ <p>Microsoft has <a
+
href="https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/">
+ backdoored its disk encryption</a>.</p>
+ </li>
+
+ <li id="M201511264">
+ <p>A downgrade to Windows 10 deleted surveillance-detection
applications. Then another downgrade inserted a general spying
- program. Users noticed this and complained, so Microsoft
- renamed it
- <a
href="https://web.archive.org/web/20160407082751/http://www.theregister.co.uk/2015/11/26/microsoft_renamed_data_slurper_reinserted_windows_10/">
+ program. Users noticed this and complained, so Microsoft renamed it <a
+
href="https://www.theregister.co.uk/2015/11/26/microsoft_renamed_data_slurper_reinserted_windows_10/">
to give users the impression it was gone</a>.</p>
+
<p>To use proprietary software is to invite such treatment.</p>
</li>
- <li><p>
- Windows 10 <a
href="https://web.archive.org/web/20151001035410/https://jonathan.porta.codes/2015/07/30/windows-10-seems-to-have-some-scary-privacy-defaults/">
- ships with default settings that show no regard for the
- privacy of its users</a>, giving Microsoft the “right”
- to snoop on the users' files, text input, voice input,
- location info, contacts, calendar records and web browsing
- history, as well as automatically connecting the machines to open
- hotspots and showing targeted ads.</p></li>
-
- <li><p>
- <a
href="http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/">
- Windows 10 sends identifiable information to Microsoft</a>, even if a user
- turns off its Bing search and Cortana features, and activates the
- privacy-protection settings.</p></li>
-
- <li><p>
- Microsoft uses Windows 10's “privacy policy” to overtly impose a
- “right” to look at users' files at any time. Windows 10 full disk
- encryption <a
href="https://edri.org/microsofts-new-small-print-how-your-personal-data-abused/">
+
+ <li id="M201508180">
+ <p><a
+
href="https://web.archive.org/web/20150905163414/http://www.pocket-lint.com/news/134954-cortana-is-always-listening-with-new-wake-on-voice-tech-even-when-windows-10-is-sleeping">
+ Intel devices will be able to listen for speech all the time, even
+ when “off.”</a></p>
+ </li>
+
+ <li id="M201508130">
+ <p><a
+
href="http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/">
+ Windows 10 sends identifiable information to Microsoft</a>, even if
+ a user turns off its Bing search and Cortana features, and activates
+ the privacy-protection settings.</p>
+ </li>
+
+ <li id="M201507300">
+ <p>Windows 10 <a
+
href="https://jonathan.porta.codes/2015/07/30/windows-10-seems-to-have-some-scary-privacy-defaults/">
+ ships with default settings that show no regard for the privacy of
+ its users</a>, giving Microsoft the “right” to snoop on
+ the users' files, text input, voice input, location info, contacts,
+ calendar records and web browsing history, as well as automatically
+ connecting the machines to open hotspots and showing targeted ads.</p>
+
+ <p>We can suppose Microsoft look at users' files for the US government
+ on demand, though the “privacy policy” does not explicitly
+ say so. Will it look at users' files for the Chinese government
+ on demand?</p>
+ </li>
+
+ <li id="M201506170">
+ <p>Microsoft uses Windows 10's “privacy policy”
+ to overtly impose a “right” to look at
+ users' files at any time. Windows 10 full disk encryption <a
+
href="https://edri.org/microsofts-new-small-print-how-your-personal-data-abused/">
gives Microsoft a key</a>.</p>
- <p>Thus, Windows is overt malware in regard to surveillance,
- as in other issues.</p>
+ <p>Thus, Windows is overt malware in regard to surveillance, as in
+ other issues.</p>
- <p>We can suppose Microsoft look at users' files for the US government on
- demand, though the “privacy policy” does not explicit say so.
Will it
- look at users' files for the Chinese government on demand?</p>
+ <p>We can suppose Microsoft look at users' files for the US government
+ on demand, though the “privacy policy” does not explicit
+ say so. Will it look at users' files for the Chinese government
+ on demand?</p>
- <p>The unique “advertising ID” for each user enables other
companies to
- track the browsing of each specific user.</p>
+ <p>The unique “advertising ID” for each user enables
+ other companies to track the browsing of each specific user.</p>
<p>It's as if Microsoft has deliberately chosen to make Windows 10
maximally evil on every dimension; to make a grab for total power
- over anyone that doesn't drop Windows now.</p></li>
+ over anyone that doesn't drop Windows now.</p>
+ </li>
- <li><p>It only gets worse with time.
- <a
href="http://www.techworm.net/2014/10/microsofts-windows-10-permission-watch-every-move.html">
+ <li id="M201410040">
+ <p>It only gets worse with time. <a
+
href="http://www.techworm.net/2014/10/microsofts-windows-10-permission-watch-every-move.html">
Windows 10 requires users to give permission for total snooping</a>,
including their files, their commands, their text input, and their
voice input.</p>
</li>
- <li><p><a
href="http://www.infoworld.com/article/2611451/microsoft-windows/a-look-at-the-black-underbelly-of-windows-8-1--blue-.html">
- Windows 8.1 snoops on local searches.</a>.</p>
+ <li id="M201401150">
+ <p id="baidu-ime"><a
+
href="https://www.techrepublic.com/blog/asian-technology/japanese-government-warns-baidu-ime-is-spying-on-users/">
+ Baidu's Japanese-input and Chinese-input apps spy on users</a>.</p>
</li>
- <li><p>And there's a
- <a href="http://www.marketoracle.co.uk/Article40836.html">
- secret NSA key in Windows</a>, whose functions we don't know.</p>
+ <li id="M201307080">
+ <p>Spyware in older versions of Windows: <a
+ href="https://www.theregister.co.uk/2003/02/28/windows_update_keeps_tabs/">
+ Windows Update snoops on the user</a>. <a
+
href="https://www.infoworld.com/article/2611451/microsoft-windows/a-look-at-the-black-underbelly-of-windows-8-1--blue-.html">
+ Windows 8.1 snoops on local searches</a>. And there's a <a
+ href="http://www.marketoracle.co.uk/Article40836.html"> secret NSA
+ key in Windows</a>, whose functions we don't know.</p>
</li>
-
- <li>HP's proprietary
- operating system <a
href="http://www.bbc.com/news/technology-42309371">includes
- a proprietary keyboard driver with a key logger in it</a>.</li>
</ul>
+
<p>Microsoft's snooping on users did not start with Windows 10.
There's a lot more <a href="/proprietary/malware-microsoft.html">
Microsoft malware</a>.</p>
<div class="big-subsection">
- <h4 id="SpywareInMacOS">Spyware in MacOS</h4>
+ <h4 id="SpywareInMacOS">MacOS</h4>
<span class="anchor-reference-id">(<a
href="#SpywareInMacOS">#SpywareInMacOS</a>)</span>
</div>
-<ul>
- <li><p>Adware Doctor, an ad blocker for
- MacOS, <a
href="https://motherboard.vice.com/en_us/article/wjye8x/mac-anti-adware-doctor-app-steals-browsing-history">reports
+<ul class="blurbs">
+ <li id="M201809070">
+ <p>Adware Doctor, an ad blocker for MacOS, <a
+
href="https://motherboard.vice.com/en_us/article/wjye8x/mac-anti-adware-doctor-app-steals-browsing-history">reports
the user's browsing history</a>.</p>
</li>
- <li><p><a
href="http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/30/how-one-mans-private-files-ended-up-on-apples-icloud-without-his-consent/">
- MacOS automatically sends to Apple servers unsaved documents being
- edited</a>. The <a
-
href="https://www.schneier.com/blog/archives/2014/10/apple_copies_yo.html?utm_source=twitterfeed&utm_medium=twitter/">
- things you have not decided to save are even more sensitive than
- the things you have stored in files</a>.</p>
- </li>
-
- <li><p>Apple has made various
- <a
href="http://www.theguardian.com/technology/2014/nov/04/apple-data-privacy-icloud">
+ <li id="M201411040">
+ <p>Apple has made various <a
+
href="http://www.theguardian.com/technology/2014/nov/04/apple-data-privacy-icloud">
MacOS programs send files to Apple servers without asking
- permission</a>. This exposes the files to Big Brother and perhaps to
- other snoops.</p>
+ permission</a>. This exposes the files to Big Brother and perhaps
+ to other snoops.</p>
<p>It also demonstrates how you can't trust proprietary software,
- because even if today's version doesn't have a malicious
- functionality, tomorrow's version might add it. The developer won't
- remove the malfeature unless many users push back hard, and the users
- can't remove it themselves.</p>
+ because even if today's version doesn't have a malicious functionality,
+ tomorrow's version might add it. The developer won't remove the
+ malfeature unless many users push back hard, and the users can't
+ remove it themselves.</p>
</li>
- <li><p>Various operations in
- <a
href="http://lifehacker.com/safari-and-spotlight-can-send-data-to-apple-heres-how-1648453540">
- the latest MacOS send reports to Apple</a> servers.</p>
+ <li id="M201410300">
+ <p> MacOS automatically <a
+
href="https://web.archive.org/web/20170831144456/https://www.washingtonpost.com/news/the-switch/wp/2014/10/30/how-one-mans-private-files-ended-up-on-apples-icloud-without-his-consent/">
+ sends to Apple servers unsaved documents being edited</a>. The
+ things you have not decided to save are <a
+
href="https://www.schneier.com/blog/archives/2014/10/apple_copies_yo.html?utm_source=twitterfeed&utm_medium=twitter/">
+ even more sensitive</a> than the things you have stored in files.</p>
+ </li>
+
+ <li id="M201410220">
+ <p>Apple admits the <a
+
href="http://www.intego.com/mac-security-blog/spotlight-suggestions-in-os-x-yosemite-and-ios-are-you-staying-private/">
+ spying in a search facility</a>, but there's a lot <a
+ href="https://github.com/fix-macosx/yosemite-phone-home"> more snooping
+ that Apple has not talked about</a>.</p>
</li>
- <li><p>Apple admits the
- <a
href="http://www.intego.com/mac-security-blog/spotlight-suggestions-in-os-x-yosemite-and-ios-are-you-staying-private/">
- spying in a search facility</a>, but there's a lot
- <a href="https://github.com/fix-macosx/yosemite-phone-home">
- more snooping that Apple has not talked about</a>.</p>
+ <li id="M201410200">
+ <p>Various operations in <a
+
href="http://lifehacker.com/safari-and-spotlight-can-send-data-to-apple-heres-how-1648453540">
+ the latest MacOS send reports to Apple</a> servers.</p>
</li>
- <li><p><a
href="http://finance.yahoo.com/blogs/the-exchange/privacy-advocates-worry-over-new-apple-iphone-tracking-feature-161836223.html">
+ <li id="M201401101">
+ <p><a
+
href="http://finance.yahoo.com/blogs/the-exchange/privacy-advocates-worry-over-new-apple-iphone-tracking-feature-161836223.html">
Spotlight search</a> sends users' search terms to Apple.</p>
</li>
</ul>
+
<p>There's a lot more <a href="#SpywareIniThings">iThing spyware</a>, and
<a href="/proprietary/malware-apple.html">Apple malware</a>.</p>
<div class="big-subsection">
- <h4 id="SpywareInAndroid">Spyware in Android</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInAndroid">#SpywareInAndroid</a>)</span>
+ <a id="SpywareAtLowLevel"></a>
+ <h4 id="SpywareInBIOS">BIOS</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInBIOS">#SpywareInBIOS</a>)</span>
</div>
-<ul>
-<li>
- <p>Some Google apps on Android <a
-
href="https://www.theguardian.com/technology/2018/aug/13/google-location-tracking-android-iphone-mobile">
- record the user's location even when users disable “location
- tracking”</a>.</p>
-
- <p>There are other ways to turn off the other kinds of location tracking,
- but most users will be tricked by the misleading control.</p>
-</li>
-
-<li>
- <p>More
- than <a
href="https://www.theguardian.com/technology/2018/apr/16/child-apps-games-android-us-google-play-store-data-sharing-law-privacy">50%
- of the 5,855 Android apps studied by researchers were found to
- snoop and collect information about its users</a>. 40% of the
- apps were found to insecurely snitch on its users. Furthermore,
- they could detect only some methods of snooping, in these
- proprietary apps whose source code they cannot look at. The other
- apps might be snooping in other ways.</p>
-
- <p>This is evidence that proprietary apps generally work against
- their users. To protect their privacy and freedom, Android users need
- to get rid of the proprietary software—both proprietary Android
- by <a href="https://replicant.us">switching to Replicant</a>, and
- the proprietary apps by getting apps from the free software
- only <a href="https://f-droid.org/">F-Droid store</a>
- that <a href="https://f-droid.org/wiki/page/Antifeatures">
- prominently warns the user if an app contains
- anti-features</a>.</p>
-</li>
-
-<li>
- <p>20 dishonest Android apps
- recorded <a
href="https://arstechnica.com/information-technology/2017/07/stealthy-google-play-apps-recorded-calls-and-stole-e-mails-and-texts">phone
- calls and sent them and text messages and emails to
- snoopers</a>.</p>
-
- <p>Google did not intend to make these apps spy; on the contrary, it
- worked in various ways to prevent that, and deleted these apps
- after discovering what they did. So we cannot blame Google
- specifically for the snooping of these apps.</p>
-
- <p>On the other hand, Google redistributes nonfree Android apps, and
- therefore shares in the responsibility for the injustice of their
- being nonfree. It also distributes its own nonfree apps, such as
- Google
- Play, <a href="/philosophy/free-software-even-more-important.html">which
- are malicious</a>.</p>
-
- <p>Could Google have done a better job of preventing apps from
- cheating? There is no systematic way for Google, or Android
- users, to inspect executable proprietary apps to see what they
- do.</p>
-
- <p>Google could demand the source code for these apps, and study the
- source code somehow to determine whether they mistreat users in
- various ways. If it did a good job of this, it could more or less
- prevent such snooping, except when the app developers are clever
- enough to outsmart the checking.</p>
-
- <p>But since Google itself develops malicious apps, we cannot trust
- Google to protect us. We must demand release of source code to the
- public, so we can depend on each other.</p>
-</li>
-<li>
- <p>A
- <a
href="https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf">
- research paper</a> that investigated the privacy and security
- of 283 Android VPN apps concluded that “in spite of the
- promises for privacy, security, and anonymity given by the
- majority of VPN apps—millions of users may be unawarely subject
- to poor security guarantees and abusive practices inflicted by
- VPN apps.”</p>
-
- <p>Following is a non-exhaustive list of proprietary VPN apps from
- the research paper that tracks and infringes the privacy of
- users:</p>
-
- <dl>
- <dt>SurfEasy</dt>
- <dd>Includes tracking libraries such as NativeX and Appflood,
- meant to track users and show them targeted ads.</dd>
+<ul class="blurbs">
+ <li id="M201509220">
+ <p><a
+
href="http://www.computerworld.com/article/2984889/windows-pcs/lenovo-collects-usage-data-on-thinkpad-thinkcentre-and-thinkstation-pcs.html">
+ Lenovo stealthily installed crapware and spyware via
+ BIOS</a> on Windows installs. Note that the specific
+ sabotage method Lenovo used did not affect GNU/Linux; also, a
+ “clean” Windows install is not really clean since <a
+ href="/proprietary/malware-microsoft.html">Microsoft puts in its
+ own malware</a>.</p>
+ </li>
+</ul>
- <dt>sFly Network Booster</dt>
- <dd>Requests the <code>READ_SMS</code> and <code>SEND_SMS</code>
- permissions upon installation, meaning it has full access to
- users' text messages.</dd>
- <dt>DroidVPN and TigerVPN</dt>
- <dd>Requests the <code>READ_LOGS</code> permission to read logs
- for other apps and also core system logs. TigerVPN developers
- have confirmed this.</dd>
- <dt>HideMyAss</dt>
- <dd>Sends traffic to LinkedIn. Also, it stores detailed logs
- and may turn them over to the UK government if
- requested.</dd>
+<div class="big-section">
+ <h3 id="SpywareOnMobiles">Spyware on Mobiles</h3>
+ <span class="anchor-reference-id">(<a
href="#SpywareOnMobiles">#SpywareOnMobiles</a>)</span>
+</div>
+<div style="clear: left;"></div>
- <dt>VPN Services HotspotShield</dt>
- <dd>Injects JavaScript code into the HTML pages returned to the
- users. The stated purpose of the JS injection is to display
- ads. Uses roughly 5 tracking libraries. Also, it redirects the
- user's traffic through valueclick.com (an advertising
- website).</dd>
+<div class="big-subsection">
+ <h4 id="SpywareInTelephones">All “Smart” Phones</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInTelephones">#SpywareInTelephones</a>)</span>
+</div>
- <dt>WiFi Protector VPN</dt>
- <dd>Injects JavaScript code into HTML pages, and also uses
- roughly 5 tracking libraries. Developers of this app have
- confirmed that the non-premium version of the app does
- JavaScript injection for tracking and display ads.</dd>
- </dl>
-</li>
-<li>
- <p><a
href="http://www.privmetrics.org/wp-content/uploads/2015/06/wisec2015.pdf">A
study in 2015</a> found that 90% of the top-ranked gratis
- proprietary Android apps contained recognizable tracking libraries. For
- the paid proprietary apps, it was only 60%.</p>
-
- <p>The article confusingly describes gratis apps as “free”,
- but most of them are not in fact
- <a href="/philosophy/free-sw.html">free software</a>.
- It also uses the ugly word “monetize”. A good replacement
- for that word is “exploit”; nearly always that will fit
- perfectly.</p>
-</li>
-
-<li>
- <p>Apps for BART
- <a
href="https://consumerist.com/2017/05/23/passengers-say-commuter-rail-app-illegally-collects-personal-user-data/">snoop
on users</a>.</p>
- <p>With free software apps, users could <em>make sure</em> that they don't
snoop.</p>
- <p>With proprietary apps, one can only hope that they don't.</p>
-</li>
+<ul class="blurbs">
+ <li id="M201601110">
+ <p>The natural extension of monitoring
+ people through “their” phones is <a
+
href="http://www.northwestern.edu/newscenter/stories/2016/01/fool-activity-tracker.html">
+ proprietary software to make sure they can't “fool”
+ the monitoring</a>.</p>
+ </li>
-<li>
- <p>A study found 234 Android apps that track users by
- <a
href="https://www.bleepingcomputer.com/news/security/234-android-applications-are-currently-using-ultrasonic-beacons-to-track-users/">listening
- to ultrasound from beacons placed in stores or played by TV
programs</a>.
- </p>
-
-</li>
-
-<li>
- <p>Pairs of Android apps can collude to transmit users' personal
- data to servers. <a
href="https://www.theatlantic.com/technology/archive/2017/04/when-apps-collude-to-steal-your-data/522177/">A
study found
- tens of thousands of pairs that collude</a>.</p>
-</li>
-
-<li>
-<p>Google Play intentionally sends app developers <a
-href="http://gadgets.ndtv.com/apps/news/google-play-store-policy-raises-privacy-concerns-331116">
-the personal details of users that install the app</a>.</p>
-
-<p>Merely asking the “consent” of users is not enough
-to legitimize actions like this. At this point, most users have
-stopped reading the “Terms and Conditions” that spell out
-what they are “consenting” to. Google should clearly
-and honestly identify the information it collects on users, instead
-of hiding it in an obscurely worded EULA.</p>
-
-<p>However, to truly protect people's privacy, we must prevent Google
-and other companies from getting this personal information in the first
-place!</p>
-</li>
+ <li id="M201510050">
+ <p>According to Edward Snowden, <a
+ href="http://www.bbc.com/news/uk-34444233">agencies can take over
+ smartphones</a> by sending hidden text messages which enable
+ them to turn the phones on and off, listen to the microphone,
+ retrieve geo-location data from the GPS, take photographs, read
+ text messages, read call, location and web browsing history, and
+ read the contact list. This malware is designed to disguise itself
+ from investigation.</p>
+ </li>
+
+ <li id="M201311120">
+ <p><a
+
href="https://web.archive.org/web/20180816030205/http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html">
+ The NSA can tap data in smart phones, including iPhones,
+ Android, and BlackBerry</a>. While there is not much
+ detail here, it seems that this does not operate via
+ the universal back door that we know nearly all portable
+ phones have. It may involve exploiting various bugs. There are <a
+
href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone">
+ lots of bugs in the phones' radio software</a>.</p>
+ </li>
+
+ <li id="M201307000">
+ <p>Portable phones with GPS <a
+
href="http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers">
+ will send their GPS location on remote command, and users cannot stop
+ them</a>. (The US says it will eventually require all new portable phones
+ to have GPS.)</p>
+ </li>
+</ul>
- <li>
- <p>Google Play (a component of Android) <a
-
href="https://www.extremetech.com/mobile/235594-yes-google-play-is-tracking-you-and-thats-just-the-tip-of-a-very-large-iceberg">
- tracks the users' movements without their permission</a>.</p>
- <p>Even if you disable Google Maps and location tracking, you must
- disable Google Play itself to completely stop the tracking. This is
- yet another example of nonfree software pretending to obey the user,
- when it's actually doing something else. Such a thing would be almost
- unthinkable with free software.</p>
+<div class="big-subsection">
+ <h4 id="SpywareIniThings">iThings</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareIniThings">#SpywareIniThings</a>)</span>
+</div>
+<ul class="blurbs">
+ <li id="M201711250">
+ <p>The DMCA and the EU Copyright Directive make it <a
+ href="https://boingboing.net/2017/11/25/la-la-la-cant-hear-you.html">
+ illegal to study how iOS cr…apps spy on users</a>, because
+ this would require circumventing the iOS DRM.</p>
</li>
- <li><p>More than 73% of the most popular Android apps
- <a href="http://jots.pub/a/2015103001/index.php">share personal,
- behavioral and location information</a> of their users with third
parties.</p>
+ <li id="M201709210">
+ <p>In the latest iThings system,
+ “turning off” WiFi and Bluetooth the obvious way <a
+
href="https://www.theguardian.com/technology/2017/sep/21/ios-11-apple-toggling-wifi-bluetooth-control-centre-doesnt-turn-them-off">
+ doesn't really turn them off</a>. A more advanced way really does turn
+ them off—only until 5am. That's Apple for you—“We
+ know you want to be spied on”.</p>
</li>
- <li><p>“Cryptic communication,” unrelated to the app's
functionality,
- was <a
href="http://news.mit.edu/2015/data-transferred-android-apps-hiding-1119">
- found in the 500 most popular gratis Android apps</a>.</p>
-
- <p>The article should not have described these apps as
- “free”—they are not free software. The clear way to say
- “zero price” is “gratis.”</p>
-
- <p>The article takes for granted that the usual analytics tools are
- legitimate, but is that valid? Software developers have no right to
- analyze what users are doing or how. “Analytics” tools that
snoop are
- just as wrong as any other snooping.</p>
- </li>
- <li><p>Gratis Android apps (but not <a href="/philosophy/free-sw.html">free
software</a>)
- connect to 100
- <a
href="http://www.theguardian.com/technology/2015/may/06/free-android-apps-connect-tracking-advertising-websites">tracking
and advertising</a> URLs,
- on the average.</p>
- </li>
- <li><p>Spyware is present in some Android devices when they are sold.
- Some Motorola phones modify Android to
- <a
href="http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html">
- send personal data to Motorola</a>.</p>
+ <li id="M201702150">
+ <p>Apple proposes <a
+
href="https://www.theguardian.com/technology/2017/feb/15/apple-removing-iphone-home-button-fingerprint-scanning-screen">a
+ fingerprint-scanning touch screen</a>—which would mean no way
+ to use it without having your fingerprints taken. Users would have
+ no way to tell whether the phone is snooping on them.</p>
</li>
- <li><p>Some manufacturers add a
- <a
href="http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/">
- hidden general surveillance package such as Carrier IQ.</a></p>
+ <li id="M201611170">
+ <p>iPhones <a
+
href="https://theintercept.com/2016/11/17/iphones-secretly-send-call-history-to-apple-security-firm-says/">send
+ lots of personal data to Apple's servers</a>. Big Brother can get
+ them from there.</p>
</li>
- <li><p><a href="/proprietary/proprietary-back-doors.html#samsung">
- Samsung's back door</a> provides access to any file on the system.</p>
+ <li id="M201609280">
+ <p>The iMessage app on iThings <a
+
href="https://theintercept.com/2016/09/28/apple-logs-your-imessage-contacts-and-may-share-them-with-police/">tells
+ a server every phone number that the user types into it</a>; the
+ server records these numbers for at least 30 days.</p>
</li>
-</ul>
+ <li id="M201509240">
+ <p>iThings automatically upload to Apple's servers all the photos
+ and videos they make.</p>
+ <blockquote><p> iCloud Photo Library stores every photo and video you
+ take, and keeps them up to date on all your devices. Any edits you
+ make are automatically updated everywhere. […] </p></blockquote>
-<!-- #SpywareOnMobiles -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
+ <p>(From <a href="https://www.apple.com/icloud/photos/">Apple's iCloud
+ information</a> as accessed on 24 Sep 2015.) The iCloud feature is
+ <a href="https://support.apple.com/en-us/HT202033">activated by the
+ startup of iOS</a>. The term “cloud” means “please
+ don't ask where.”</p>
-<div class="big-section">
- <h3 id="SpywareOnMobiles">Spyware on Mobiles</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareOnMobiles">#SpywareOnMobiles</a>)</span>
-</div>
-<div style="clear: left;"></div>
+ <p>There is a way to
+ <a href="https://support.apple.com/en-us/HT201104"> deactivate
+ iCloud</a>, but it's active by default so it still counts as a
+ surveillance functionality.</p>
+ <p>Unknown people apparently took advantage of this to <a
+
href="https://www.theguardian.com/technology/2014/sep/01/naked-celebrity-hack-icloud-backup-jennifer-lawrence">get
+ nude photos of many celebrities</a>. They needed to break Apple's
+ security to get at them, but NSA can access any of them through <a
+
href="/philosophy/surveillance-vs-democracy.html#digitalcash">PRISM</a>.</p>
+ </li>
-<div class="big-subsection">
- <h4 id="SpywareIniThings">Spyware in iThings</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareIniThings">#SpywareIniThings</a>)</span>
-</div>
+ <li id="M201409220">
+ <p>Apple can, and regularly does, <a
+
href="http://arstechnica.com/apple/2014/05/new-guidelines-outline-what-iphone-data-apple-can-give-to-police/">
+ remotely extract some data from iPhones for the state</a>.</p>
-<ul>
- <li><p>The DMCA and the EU Copyright Directive make it <a
-href="https://boingboing.net/2017/11/25/la-la-la-cant-hear-you.html">
- illegal to study how iOS cr...apps spy on users</a>, because this
- would require circumventing the iOS DRM.</p>
+ <p>This may have improved with <a
+
href="http://www.washingtonpost.com/business/technology/2014/09/17/2612af58-3ed2-11e4-b03f-de718edeb92f_story.html">
+ iOS 8 security improvements</a>; but <a
+ href="https://firstlook.org/theintercept/2014/09/22/apple-data/">
+ not as much as Apple claims</a>.</p>
</li>
- <li><p>In the latest iThings system, “turning off” WiFi and
Bluetooth the
- obvious way <a
-
href="https://www.theguardian.com/technology/2017/sep/21/ios-11-apple-toggling-wifi-bluetooth-control-centre-doesnt-turn-them-off">
- doesn't really turn them off</a>.
- A more advanced way really does turn them off—only until 5am.
- That's Apple for you—“We know you want to be spied
on”.</p>
+ <li id="M201407230">
+ <p><a
+
href="http://www.theguardian.com/technology/2014/jul/23/iphone-backdoors-surveillance-forensic-services">
+ Several “features” of iOS seem to exist
+ for no possible purpose other than surveillance</a>. Here is the <a
+
href="http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms_Moved.pdf">
+ Technical presentation</a>.</p>
</li>
- <li><p>Apple proposes
- <a
href="https://www.theguardian.com/technology/2017/feb/15/apple-removing-iphone-home-button-fingerprint-scanning-screen">a
fingerprint-scanning touch screen</a>
- — which would mean no way to use it without having your
fingerprints
- taken. Users would have no way to tell whether the phone is snooping on
- them.</p></li>
+ <li id="M201401100">
+ <p>The <a class="not-a-duplicate"
+
href="http://finance.yahoo.com/blogs/the-exchange/privacy-advocates-worry-over-new-apple-iphone-tracking-feature-161836223.html">
+ iBeacon</a> lets stores determine exactly where the iThing is, and
+ get other info too.</p>
+ </li>
- <li><p>iPhones <a
href="https://theintercept.com/2016/11/17/iphones-secretly-send-call-history-to-apple-security-firm-says/">send
- lots of personal data to Apple's servers</a>. Big Brother can
- get them from there.</p>
+ <li id="M201312300">
+ <p><a
+
href="http://www.zerohedge.com/news/2013-12-30/how-nsa-hacks-your-iphone-presenting-dropout-jeep">
+ Either Apple helps the NSA snoop on all the data in an iThing, or it
+ is totally incompetent</a>.</p>
</li>
- <li><p>The iMessage app on iThings <a
href="https://theintercept.com/2016/09/28/apple-logs-your-imessage-contacts-and-may-share-them-with-police/">tells
- a server every phone number that the user types into it</a>; the
server records these numbers for at least 30
- days.</p>
+ <li id="M201308080">
+ <p>The iThing also <a
+
href="https://www.theregister.co.uk/2013/08/08/ios7_tracking_now_its_a_favourite_feature/">
+ tells Apple its geolocation</a> by default, though that can be
+ turned off.</p>
</li>
- <li><p>Users cannot make an Apple ID <a
-href="https://apple.stackexchange.com/questions/49951/how-can-i-download-free-apps-without-registering-an-apple-id">
- (necessary to install even gratis apps)</a>
- without giving a valid email address and receiving the code Apple
- sends to it.</p>
+ <li id="M201210170">
+ <p>There is also a feature for web sites to track users, which is <a
+
href="http://nakedsecurity.sophos.com/2012/10/17/how-to-disable-apple-ios-user-tracking-ios-6/">
+ enabled by default</a>. (That article talks about iOS 6, but it is
+ still true in iOS 7.)</p>
</li>
- <li><p>Around 47% of the most popular iOS apps
- <a class="not-a-duplicate"
- href="http://jots.pub/a/2015103001/index.php">share personal,
- behavioral and location information</a> of their users with third
parties.</p>
+ <li id="M201204280">
+ <p>Users cannot make an Apple ID (<a
+
href="https://apple.stackexchange.com/questions/49951/how-can-i-download-free-apps-without-registering-an-apple-id">
+ necessary to install even gratis apps</a>) without giving a valid
+ email address and receiving the verification code Apple sends
+ to it.</p>
</li>
+</ul>
- <li><p>iThings automatically upload to Apple's servers all the photos and
- videos they make.</p>
- <blockquote><p>
- iCloud Photo Library stores every photo and video you take,
- and keeps them up to date on all your devices.
- Any edits you make are automatically updated everywhere. [...]
- </p></blockquote>
+<div class="big-subsection">
+ <h4 id="SpywareInAndroid">Android Telephones</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInAndroid">#SpywareInAndroid</a>)</span>
+</div>
- <p>(From <a href="https://www.apple.com/icloud/photos/">Apple's iCloud
- information</a> as accessed on 24 Sep 2015.) The iCloud feature is
- <a href="https://support.apple.com/en-us/HT202033">activated by the
- startup of iOS</a>. The term “cloud” means
- “please don't ask where.”</p>
+<ul class="blurbs">
+ <li id="M201711210">
+ <p>Android tracks location for Google <a
+
href="https://www.techdirt.com/articles/20171121/09030238658/investigation-finds-google-collected-location-data-even-with-location-services-turned-off.shtml">
+ even when “location services” are turned off, even when
+ the phone has no SIM card</a>.</p>
+ </li>
- <p>There is a way to <a href="https://support.apple.com/en-us/HT201104">
- deactivate iCloud</a>, but it's active by default so it still counts as a
- surveillance functionality.</p>
+ <li id="M201611150">
+ <p>Some portable phones <a
+
href="http://www.prnewswire.com/news-releases/kryptowire-discovered-mobile-phone-firmware-that-transmitted-personally-identifiable-information-pii-without-user-consent-or-disclosure-300362844.html">are
+ sold with spyware sending lots of data to China</a>.</p>
+ </li>
- <p>Unknown people apparently took advantage of this to
- <a
href="https://www.theguardian.com/technology/2014/sep/01/naked-celebrity-hack-icloud-backup-jennifer-lawrence">get
- nude photos of many celebrities</a>. They needed to break Apple's
- security to get at them, but NSA can access any of them through
- <a
href="/philosophy/surveillance-vs-democracy.html#digitalcash">PRISM</a>.
- </p></li>
+ <li id="M201609140">
+ <p>Google Play (a component of Android) <a
+
href="https://www.extremetech.com/mobile/235594-yes-google-play-is-tracking-you-and-thats-just-the-tip-of-a-very-large-iceberg">
+ tracks the users' movements without their permission</a>.</p>
- <li><p>Spyware in iThings:
- the <a class="not-a-duplicate"
-
href="http://finance.yahoo.com/blogs/the-exchange/privacy-advocates-worry-over-new-apple-iphone-tracking-feature-161836223.html">
- iBeacon</a> lets stores determine exactly where the iThing is,
- and get other info too.</p>
+ <p>Even if you disable Google Maps and location tracking, you must
+ disable Google Play itself to completely stop the tracking. This is
+ yet another example of nonfree software pretending to obey the user,
+ when it's actually doing something else. Such a thing would be almost
+ unthinkable with free software.</p>
</li>
- <li><p>There is also a feature for web sites to track users, which is
- <a
href="http://nakedsecurity.sophos.com/2012/10/17/how-to-disable-apple-ios-user-tracking-ios-6/">
- enabled by default</a>. (That article talks about iOS 6, but it
- is still true in iOS 7.)</p>
+ <li id="M201507030">
+ <p>Samsung phones come with <a
+
href="http://arstechnica.com/gadgets/2015/07/samsung-sued-for-loading-devices-with-unremovable-crapware-in-china/">apps
+ that users can't delete</a>, and they send so much data that their
+ transmission is a substantial expense for users. Said transmission,
+ not wanted or requested by the user, clearly must constitute spying
+ of some kind.</p>
</li>
- <li><p>The iThing also
- <a
-href="https://web.archive.org/web/20160313215042/http://www.theregister.co.uk/2013/08/08/ios7_tracking_now_its_a_favourite_feature/">
- tells Apple its geolocation</a> by default, though that can be
- turned off.</p>
+ <li id="M201403120">
+ <p><a href="/proprietary/proprietary-back-doors.html#samsung">
+ Samsung's back door</a> provides access to any file on the system.</p>
</li>
- <li><p>Apple can, and regularly does,
- <a
href="http://arstechnica.com/apple/2014/05/new-guidelines-outline-what-iphone-data-apple-can-give-to-police/">
- remotely extract some data from iPhones for the state</a>.</p>
+ <li id="M201308010">
+ <p>Spyware in Android phones (and Windows? laptops): The Wall Street
+ Journal (in an article blocked from us by a paywall) reports that <a
+
href="http://www.theverge.com/2013/8/1/4580718/fbi-can-remotely-activate-android-and-laptop-microphones-reports-wsj">
+ the FBI can remotely activate the GPS and microphone in Android phones
+ and laptops</a>. (I suspect this means Windows laptops.) Here is <a
+ href="http://cryptome.org/2013/08/fbi-hackers.htm">more info</a>.</p>
</li>
- <li><p><a
href="http://www.zerohedge.com/news/2013-12-30/how-nsa-hacks-your-iphone-presenting-dropout-jeep">
- Either Apple helps the NSA snoop on all the data in an iThing,
- or it is totally incompetent.</a></p>
+ <li id="M201307280">
+ <p>Spyware is present in some Android devices when
+ they are sold. Some Motorola phones modify Android to <a
+ href="http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html">
+ send personal data to Motorola</a>.</p>
</li>
- <li><p><a
href="http://www.theguardian.com/technology/2014/jul/23/iphone-backdoors-surveillance-forensic-services">
- Several “features” of iOS seem to exist for no
- possible purpose other than surveillance</a>. Here is the
- <a
href="http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms_Moved.pdf">
- Technical presentation</a>.</p>
+ <li id="M201307250">
+ <p>A Motorola phone <a
+
href="http://www.itproportal.com/2013/07/25/motorolas-new-x8-arm-chip-underpinning-the-always-on-future-of-android/">
+ listens for voice all the time</a>.</p>
+ </li>
+
+ <li id="M201302150">
+ <p>Google Play intentionally sends app developers <a
+
href="http://gadgets.ndtv.com/apps/news/google-play-store-policy-raises-privacy-concerns-331116">
+ the personal details of users that install the app</a>.</p>
+
+ <p>Merely asking the “consent” of users is not enough to
+ legitimize actions like this. At this point, most users have stopped
+ reading the “Terms and Conditions” that spell out what
+ they are “consenting” to. Google should clearly and
+ honestly identify the information it collects on users, instead of
+ hiding it in an obscurely worded EULA.</p>
+
+ <p>However, to truly protect people's privacy, we must prevent Google
+ and other companies from getting this personal information in the
+ first place!</p>
+ </li>
+
+ <li id="M201111170">
+ <p>Some manufacturers add a <a
+
href="http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/">
+ hidden general surveillance package such as Carrier IQ</a>.</p>
</li>
</ul>
<div class="big-subsection">
- <h4 id="SpywareInTelephones">Spyware in Telephones</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInTelephones">#SpywareInTelephones</a>)</span>
+ <h4 id="SpywareInElectronicReaders">E-Readers</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInElectronicReaders">#SpywareInElectronicReaders</a>)</span>
</div>
-<ul>
- <li><p>Tracking software in popular Android apps is pervasive and
- sometimes very clever. Some trackers can <a
-href="https://theintercept.com/2017/11/24/staggering-variety-of-clandestine-trackers-found-in-popular-android-apps/">
- follow a user's movements around a physical store by noticing WiFi
- networks</a>.</p>
-</li>
-
- <li><p>Android tracks location for Google <a
-href="https://www.techdirt.com/articles/20171121/09030238658/investigation-finds-google-collected-location-data-even-with-location-services-turned-off.shtml">
- even when “location services” are turned off, even
- when the phone has no SIM card</a>.</p></li>
-
- <li><p>Some portable phones <a
href="http://www.prnewswire.com/news-releases/kryptowire-discovered-mobile-phone-firmware-that-transmitted-personally-identifiable-information-pii-without-user-consent-or-disclosure-300362844.html">are
- sold with spyware sending lots of data to China</a>.</p></li>
-
- <li><p>According to Edward Snowden,
- <a href="http://www.bbc.com/news/uk-34444233">agencies can take over
smartphones</a>
- by sending hidden text messages which enable them to turn the phones
- on and off, listen to the microphone, retrieve geo-location data from the
- GPS, take photographs, read text messages, read call, location and web
- browsing history, and read the contact list. This malware is designed to
- disguise itself from investigation.</p>
- </li>
-
- <li><p>Samsung phones come with
- <a
href="http://arstechnica.com/gadgets/2015/07/samsung-sued-for-loading-devices-with-unremovable-crapware-in-china/">apps
that users can't delete</a>,
- and they send so much data that their transmission is a
- substantial expense for users. Said transmission, not wanted or
- requested by the user, clearly must constitute spying of some
- kind.</p></li>
-
- <li><p>A Motorola phone
- <a
href="http://www.itproportal.com/2013/07/25/motorolas-new-x8-arm-chip-underpinning-the-always-on-future-of-android/">
- listens for voice all the time</a>.</p>
+<ul class="blurbs">
+ <li id="M201603080">
+ <p>E-books can contain JavaScript code, and <a
+
href="http://www.theguardian.com/books/2016/mar/08/men-make-up-their-minds-about-books-faster-than-women-study-finds">
+ sometimes this code snoops on readers</a>.</p>
</li>
- <li><p>Spyware in Android phones (and Windows? laptops): The Wall
- Street Journal (in an article blocked from us by a paywall)
- reports that
- <a
href="http://www.theverge.com/2013/8/1/4580718/fbi-can-remotely-activate-android-and-laptop-microphones-reports-wsj">
- the FBI can remotely activate the GPS and microphone in Android
- phones and laptops</a>.
- (I suspect this means Windows laptops.) Here is
- <a href="http://cryptome.org/2013/08/fbi-hackers.htm">more info</a>.</p>
+ <li id="M201410080">
+ <p>Adobe made “Digital Editions,”
+ the e-reader used by most US libraries, <a
+
href="http://www.computerworlduk.com/blogs/open-enterprise/drm-strikes-again-3575860/">
+ send lots of data to Adobe</a>. Adobe's “excuse”: it's
+ needed to check DRM!</p>
</li>
- <li><p>Portable phones with GPS will send their GPS location on
- remote command and users cannot stop them:
- <a
href="http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers">
-
http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers</a>.
- (The US says it will eventually require all new portable phones
- to have GPS.)</p>
+ <li id="M201212031">
+ <p>The Electronic Frontier Foundation has examined and found <a
+ href="https://www.eff.org/pages/reader-privacy-chart-2012">various
+ kinds of surveillance in the Swindle and other e-readers</a>.</p>
</li>
- <li><p>The nonfree Snapchat app's principal purpose is to restrict
- the use of data on the user's computer, but it does surveillance
- too: <a
href="http://www.theguardian.com/media/2013/dec/27/snapchat-may-be-exposed-hackers">
- it tries to get the user's list of other people's phone
- numbers.</a></p>
+ <li id="M201212030">
+ <p>Spyware in many e-readers—not only the Kindle: <a
+ href="https://www.eff.org/pages/reader-privacy-chart-2012"> they
+ report even which page the user reads at what time</a>.</p>
</li>
</ul>
+
+<div class="big-section">
+ <h3 id="SpywareInApplications">Spyware in Applications</h3>
+ <span class="anchor-reference-id">(<a
href="#SpywareInApplications">#SpywareInApplications</a>)</span>
+</div>
+<div style="clear: left;"></div>
+
<div class="big-subsection">
- <h4 id="SpywareInMobileApps">Spyware in Mobile Applications</h4>
+ <h4 id="SpywareInMobileApps">Mobile Apps</h4>
<span class="anchor-reference-id">(<a
href="#SpywareInMobileApps">#SpywareInMobileApps</a>)</span>
</div>
-<ul>
- <li><p>The Spanish football streaming app
- <a
href="https://boingboing.net/2018/06/11/spanish-football-app-turns-use.html">tracks
- the user's movements and listens through the
- microphone</a>.</p>
+<ul class="blurbs">
+ <li id="M201808030">
+ <p>Some Google apps on Android <a
+
href="https://www.theguardian.com/technology/2018/aug/13/google-location-tracking-android-iphone-mobile">
+ record the user's location even when users disable “location
+ tracking”</a>.</p>
+
+ <p>There are other ways to turn off the other kinds of location
+ tracking, but most users will be tricked by the misleading control.</p>
+ </li>
+
+ <li id="M201806110">
+ <p>The Spanish football streaming app <a
+
href="https://boingboing.net/2018/06/11/spanish-football-app-turns-use.html">tracks
+ the user's movements and listens through the microphone</a>.</p>
<p>This makes them act as spies for licensing enforcement.</p>
- <p>I expect it implements DRM, too—that there is no way to
- save a recording. But I can't be sure from the article.</p>
+ <p>I expect it implements DRM, too—that there is no way to save
+ a recording. But I can't be sure from the article.</p>
+
+ <p>If you learn to care much less about sports, you will benefit in
+ many ways. This is one more.</p>
+ </li>
+
+ <li id="M201804160">
+ <p>More than <a
+
href="https://www.theguardian.com/technology/2018/apr/16/child-apps-games-android-us-google-play-store-data-sharing-law-privacy">50%
+ of the 5,855 Android apps studied by researchers were found to snoop
+ and collect information about its users</a>. 40% of the apps were
+ found to insecurely snitch on its users. Furthermore, they could
+ detect only some methods of snooping, in these proprietary apps whose
+ source code they cannot look at. The other apps might be snooping
+ in other ways.</p>
- <p>If you learn to care much less about sports, you will benefit
- in many ways. This is one more.</p>
+ <p>This is evidence that proprietary apps generally work against
+ their users. To protect their privacy and freedom, Android users
+ need to get rid of the proprietary software—both proprietary
+ Android by <a href="https://replicant.us">switching to Replicant</a>,
+ and the proprietary apps by getting apps from the free software
+ only <a href="https://f-droid.org/">F-Droid store</a> that <a
+ href="https://f-droid.org/wiki/page/Antifeatures"> prominently warns
+ the user if an app contains anti-features</a>.</p>
</li>
- <li><p>Grindr collects information about <a
+ <li id="M201804020">
+ <p>Grindr collects information about <a
href="https://www.commondreams.org/news/2018/04/02/egregious-breach-privacy-popular-app-grindr-supplies-third-parties-users-hiv-status">
which users are HIV-positive, then provides the information to
companies</a>.</p>
<p>Grindr should not have so much information about its users.
- It could be designed so that users communicate such info to each other
- but not to the server's database.</p>
+ It could be designed so that users communicate such info to each
+ other but not to the server's database.</p>
</li>
- <li>
- <p>The moviepass app and dis-service spy on users even more than users
- expected. It <a
href="https://techcrunch.com/2018/03/05/moviepass-ceo-proudly-says-the-app-tracks-your-location-before-and-after-movies/">records
- where they travel before and after going to a movie</a>.
- </p>
+ <li id="M201803050">
+ <p>The moviepass app and dis-service
+ spy on users even more than users expected. It <a
+
href="https://techcrunch.com/2018/03/05/moviepass-ceo-proudly-says-the-app-tracks-your-location-before-and-after-movies/">records
+ where they travel before and after going to a movie</a>.</p>
- <p>Don't be tracked — pay cash!</p>
+ <p>Don't be tracked—pay cash!</p>
</li>
- <li><p>AI-powered driving apps can
- <a
href="https://motherboard.vice.com/en_us/article/43nz9p/ai-powered-driving-apps-can-track-your-every-move">
- track your every move</a>.</p>
+ <li id="M201711240">
+ <p>Tracking software in popular Android apps
+ is pervasive and sometimes very clever. Some trackers can <a
+
href="https://theintercept.com/2017/11/24/staggering-variety-of-clandestine-trackers-found-in-popular-android-apps/">
+ follow a user's movements around a physical store by noticing WiFi
+ networks</a>.</p>
</li>
- <li><p>The Sarahah app
- <a
href="https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/">
+ <li id="M201708270">
+ <p>The Sarahah app <a
+
href="https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/">
uploads all phone numbers and email addresses</a> in user's address
book to developer's server. Note that this article misuses the words
“<a href="/philosophy/free-sw.html">free software</a>”
referring to zero price.</p>
</li>
- <li>
- <p>Facebook's app listens all the time, <a
href="http://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-using-people-s-phones-to-listen-in-on-what-they-re-saying-claims-professor-a7057526.html">to
snoop
- on what people are listening to or watching</a>. In addition, it may
- be analyzing people's conversations to serve them with targeted
- advertisements.</p>
- </li>
-
- <li>
- <p>Faceapp appears to do lots of surveillance, judging by
- <a
href="https://www.washingtonpost.com/news/the-intersect/wp/2017/04/26/everything-thats-wrong-with-faceapp-the-latest-creepy-photo-app-for-your-face/">
- how much access it demands to personal data in the device</a>.
- </p>
- </li>
-
- <li>
- <p>Verizon <a
href="https://yro.slashdot.org/story/17/03/30/0112259/verizon-to-force-appflash-spyware-on-android-phones">
- announced an opt-in proprietary search app that it will</a>
- pre-install on some of its phones. The app will give Verizon the same
- information about the users' searches that Google normally gets when
- they use its search engine.</p>
-
- <p>Currently, the app is <a
href="https://www.eff.org/deeplinks/2017/04/update-verizons-appflash-pre-installed-spyware-still-spyware">
- being pre-installed on only one phone</a>, and the
- user must explicitly opt-in before the app takes effect. However, the
- app remains spyware—an “optional” piece of spyware is
- still spyware.</p>
- </li>
+ <li id="M201707270">
+ <p>20 dishonest Android apps recorded <a
+
href="https://arstechnica.com/information-technology/2017/07/stealthy-google-play-apps-recorded-calls-and-stole-e-mails-and-texts">phone
+ calls and sent them and text messages and emails to snoopers</a>.</p>
- <li><p>The Meitu photo-editing
- app <a
href="https://theintercept.com/2017/01/21/popular-selfie-app-sending-user-data-to-china-researchers-say/">sends
- user data to a Chinese company</a>.</p></li>
-
- <li><p>A pregnancy test controller application not only
- can <a
href="http://www.theverge.com/2016/4/25/11503718/first-response-pregnancy-pro-test-bluetooth-app-security">spy
- on many sorts of data in the phone, and in server accounts, it can
- alter them too</a>.
- </p></li>
+ <p>Google did not intend to make these apps spy; on the contrary, it
+ worked in various ways to prevent that, and deleted these apps after
+ discovering what they did. So we cannot blame Google specifically
+ for the snooping of these apps.</p>
- <li><p>The Uber app tracks <a
href="https://techcrunch.com/2016/11/28/uber-background-location-data-collection/">clients'
- movements before and after the ride</a>.</p>
+ <p>On the other hand, Google redistributes nonfree Android apps, and
+ therefore shares in the responsibility for the injustice of their being
+ nonfree. It also distributes its own nonfree apps, such as Google Play,
+ <a href="/philosophy/free-software-even-more-important.html">which
+ are malicious</a>.</p>
- <p>This example illustrates how “getting the user's
consent”
- for surveillance is inadequate as a protection against massive
- surveillance.</p>
- </li>
+ <p>Could Google have done a better job of preventing apps from
+ cheating? There is no systematic way for Google, or Android users,
+ to inspect executable proprietary apps to see what they do.</p>
- <li><p>Google's new voice messaging app <a
href="http://www.theverge.com/2016/9/21/12994362/allo-privacy-message-logs-google">logs
- all conversations</a>.</p>
- </li>
+ <p>Google could demand the source code for these apps, and study
+ the source code somehow to determine whether they mistreat users in
+ various ways. If it did a good job of this, it could more or less
+ prevent such snooping, except when the app developers are clever
+ enough to outsmart the checking.</p>
- <li><p>Apps that include
- <a
href="http://techaeris.com/2016/01/13/symphony-advanced-media-software-tracks-your-digital-life-through-your-smartphone-mic/">
- Symphony surveillance software snoop on what radio and TV programs
- are playing nearby</a>. Also on what users post on various sites
- such as Facebook, Google+ and Twitter.</p>
+ <p>But since Google itself develops malicious apps, we cannot trust
+ Google to protect us. We must demand release of source code to the
+ public, so we can depend on each other.</p>
</li>
- <li><p>Facebook's new Magic Photo app
- <a
-href="https://web.archive.org/web/20160605165148/http://www.theregister.co.uk/2015/11/10/facebook_scans_camera_for_your_friends/">
-scans your mobile phone's photo collections for known faces</a>,
- and suggests you to share the picture you take according to who
- is in the frame.</p>
+ <li id="M201705230">
+ <p>Apps for BART <a
+
href="https://consumerist.com/2017/05/23/passengers-say-commuter-rail-app-illegally-collects-personal-user-data/">snoop
+ on users</a>.</p>
- <p>This spyware feature seems to require online access to some
- known-faces database, which means the pictures are likely to be
- sent across the wire to Facebook's servers and face-recognition
- algorithms.</p>
+ <p>With free software apps, users could <em>make sure</em> that they
+ don't snoop.</p>
- <p>If so, none of Facebook users' pictures are private
- anymore, even if the user didn't “upload” them to the
service.</p>
+ <p>With proprietary apps, one can only hope that they don't.</p>
</li>
- <li><p>Like most “music screaming” disservices, Spotify
- is based on proprietary malware (DRM and snooping). In August
- 2015 it <a
-href="http://www.theguardian.com/technology/2015/aug/21/spotify-faces-user-backlash-over-new-privacy-policy">
- demanded users submit to increased snooping</a>, and some
- are starting to realize that it is nasty.</p>
-
- <p>This article shows the <a
-href="https://web.archive.org/web/20160313214751/http://www.theregister.co.uk/2015/08/21/spotify_worse_than_the_nsa/">
- twisted ways that they present snooping as a way
- to “serve” users better</a>—never mind
- whether they want that. This is a typical example of
- the attitude of the proprietary software industry towards
- those they have subjugated.</p>
+ <li id="M201705040">
+ <p>A study found 234 Android apps that track users by <a
+
href="https://www.bleepingcomputer.com/news/security/234-android-applications-are-currently-using-ultrasonic-beacons-to-track-users/">listening
+ to ultrasound from beacons placed in stores or played by TV
+ programs</a>.</p>
+ </li>
+
+ <li id="M201704260">
+ <p>Faceapp appears to do lots of surveillance, judging by <a
+
href="https://www.washingtonpost.com/news/the-intersect/wp/2017/04/26/everything-thats-wrong-with-faceapp-the-latest-creepy-photo-app-for-your-face/">
+ how much access it demands to personal data in the device</a>.</p>
+ </li>
+
+ <li id="M201704190">
+ <p>Users are suing Bose for <a
+
href="https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/">
+ distributing a spyware app for its headphones</a>. Specifically,
+ the app would record the names of the audio files users listen to
+ along with the headphone's unique serial number.</p>
- <p>Out, out, damned Spotify!</p>
- </li>
- <li><p>Many proprietary apps for mobile devices report which other
- apps the user has
- installed. <a
href="http://techcrunch.com/2014/11/26/twitter-app-graph/">Twitter
- is doing this in a way that at least is visible and
- optional</a>. Not as bad as what the others do.</p>
+ <p>The suit accuses that this was done without the users' consent.
+ If the fine print of the app said that users gave consent for this,
+ would that make it acceptable? No way! It should be flat out <a
+ href="/philosophy/surveillance-vs-democracy.html"> illegal to design
+ the app to snoop at all</a>.</p>
+ </li>
+
+ <li id="M201704074">
+ <p>Pairs of Android apps can collude
+ to transmit users' personal data to servers. <a
+
href="https://www.theatlantic.com/technology/archive/2017/04/when-apps-collude-to-steal-your-data/522177/">A
+ study found tens of thousands of pairs that collude</a>.</p>
+ </li>
+
+ <li id="M201703300">
+ <p>Verizon <a
+
href="https://yro.slashdot.org/story/17/03/30/0112259/verizon-to-force-appflash-spyware-on-android-phones">
+ announced an opt-in proprietary search app that it will</a> pre-install
+ on some of its phones. The app will give Verizon the same information
+ about the users' searches that Google normally gets when they use
+ its search engine.</p>
+
+ <p>Currently, the app is <a
+
href="https://www.eff.org/deeplinks/2017/04/update-verizons-appflash-pre-installed-spyware-still-spyware">
+ being pre-installed on only one phone</a>, and the user must
+ explicitly opt-in before the app takes effect. However, the app
+ remains spyware—an “optional” piece of spyware is
+ still spyware.</p>
</li>
- <li><p>FTC says most mobile apps for children don't respect privacy:
- <a
href="http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/">
-
http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/</a>.</p>
+ <li id="M201701210">
+ <p>The Meitu photo-editing app <a
+
href="https://theintercept.com/2017/01/21/popular-selfie-app-sending-user-data-to-china-researchers-say/">sends
+ user data to a Chinese company</a>.</p>
</li>
- <li><p>Widely used <a
href="https://freedom-to-tinker.com/blog/kollarssmith/scan-this-or-scan-me-user-privacy-barcode-scanning-applications/">proprietary
- QR-code scanner apps snoop on the user</a>. This is in addition to
- the snooping done by the phone company, and perhaps by the OS in the
- phone.</p>
+ <li id="M201611280">
+ <p>The Uber app tracks <a
+
href="https://techcrunch.com/2016/11/28/uber-background-location-data-collection/">clients'
+ movements before and after the ride</a>.</p>
- <p>Don't be distracted by the question of whether the app developers get
- users to say “I agree”. That is no excuse for malware.</p>
+ <p>This example illustrates how “getting the user's
+ consent” for surveillance is inadequate as a protection against
+ massive surveillance.</p>
</li>
- <li><p>The Brightest Flashlight app
- <a
href="http://www.theguardian.com/technology/2013/dec/06/android-app-50m-downloads-sent-data-advertisers">
- sends user data, including geolocation, for use by companies.</a></p>
-
- <p>The FTC criticized this app because it asked the user to
- approve sending personal data to the app developer but did not
- ask about sending it to other companies. This shows the
- weakness of the reject-it-if-you-dislike-snooping
- “solution” to surveillance: why should a flashlight
- app send any information to anyone? A free software flashlight
- app would not.</p>
- </li>
-</ul>
+ <li id="M201611160">
+ <p>A <a
+
href="https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf">
+ research paper</a> that investigated the privacy and security of
+ 283 Android VPN apps concluded that “in spite of the promises
+ for privacy, security, and anonymity given by the majority of VPN
+ apps—millions of users may be unawarely subject to poor security
+ guarantees and abusive practices inflicted by VPN apps.”</p>
-<div class="big-subsection">
- <h4 id="SpywareInToys">Spyware in Toys</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInToys">#SpywareInToys</a>)</span>
-</div>
+ <p>Following is a non-exhaustive list of proprietary VPN apps from
+ the research paper that tracks and infringes the privacy of users:</p>
-<ul>
+ <dl>
+ <dt>SurfEasy</dt>
+ <dd>Includes tracking libraries such as NativeX and Appflood,
+ meant to track users and show them targeted ads.</dd>
- <li>
- <p>A remote-control sex toy was found to make <a
href="https://www.theverge.com/2017/11/10/16634442/lovense-sex-toy-spy-survei">audio
recordings
- of the conversation between two users</a>.</p>
+ <dt>sFly Network Booster</dt>
+ <dd>Requests the <code>READ_SMS</code> and <code>SEND_SMS</code>
+ permissions upon installation, meaning it has full access to users'
+ text messages.</dd>
+
+ <dt>DroidVPN and TigerVPN</dt>
+ <dd>Requests the <code>READ_LOGS</code> permission to read logs
+ for other apps and also core system logs. TigerVPN developers have
+ confirmed this.</dd>
+
+ <dt>HideMyAss</dt>
+ <dd>Sends traffic to LinkedIn. Also, it stores detailed logs and
+ may turn them over to the UK government if requested.</dd>
+
+ <dt>VPN Services HotspotShield</dt>
+ <dd>Injects JavaScript code into the HTML pages returned to the
+ users. The stated purpose of the JS injection is to display ads. Uses
+ roughly five tracking libraries. Also, it redirects the user's
+ traffic through valueclick.com (an advertising website).</dd>
+
+ <dt>WiFi Protector VPN</dt>
+ <dd>Injects JavaScript code into HTML pages, and also uses roughly
+ five tracking libraries. Developers of this app have confirmed that
+ the non-premium version of the app does JavaScript injection for
+ tracking and display ads.</dd>
+ </dl>
+ </li>
+
+ <li id="M201609210">
+ <p>Google's new voice messaging app <a
+
href="http://www.theverge.com/2016/9/21/12994362/allo-privacy-message-logs-google">logs
+ all conversations</a>.</p>
</li>
- <li>
- <p>The “smart” toys My Friend Cayla and i-Que transmit
- <a
href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws">children's
conversations to Nuance Communications</a>,
- a speech recognition company based in the U.S.</p>
+ <li id="M201606050">
+ <p>Facebook's new Magic Photo app <a
+
href="https://www.theregister.co.uk/2015/11/10/facebook_scans_camera_for_your_friends/">
+ scans your mobile phone's photo collections for known faces</a>,
+ and suggests you to share the picture you take according to who is
+ in the frame.</p>
- <p>Those toys also contain major security vulnerabilities; crackers
- can remotely control the toys with a mobile phone. This would
- enable crackers to listen in on a child's speech, and even speak
- into the toys themselves.</p>
+ <p>This spyware feature seems to require online access to some
+ known-faces database, which means the pictures are likely to be
+ sent across the wire to Facebook's servers and face-recognition
+ algorithms.</p>
+
+ <p>If so, none of Facebook users' pictures are private anymore,
+ even if the user didn't “upload” them to the service.</p>
</li>
- <li>
- <p>A computerized vibrator
- <a
href="https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack">
- was snooping on its users through the proprietary control app</a>.</p>
+ <li id="M201605310">
+ <p>Facebook's app listens all the time, <a
+
href="http://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-using-people-s-phones-to-listen-in-on-what-they-re-saying-claims-professor-a7057526.html">to
+ snoop on what people are listening to or watching</a>. In addition,
+ it may be analyzing people's conversations to serve them with targeted
+ advertisements.</p>
+ </li>
- <p>The app was reporting the temperature of the vibrator minute by
- minute (thus, indirectly, whether it was surrounded by a person's
- body), as well as the vibration frequency.</p>
+ <li id="M201604250">
+ <p>A pregnancy test controller application not only can <a
+
href="http://www.theverge.com/2016/4/25/11503718/first-response-pregnancy-pro-test-bluetooth-app-security">
+ spy on many sorts of data in the phone, and in server accounts,
+ it can alter them too</a>.</p>
+ </li>
- <p>Note the totally inadequate proposed response: a labeling
- standard with which manufacturers would make statements about
- their products, rather than free software which users could have
- checked and changed.</p>
-
- <p>The company that made the vibrator
- <a
href="https://www.theguardian.com/us-news/2016/sep/14/wevibe-sex-toy-data-collection-chicago-lawsuit">
- was sued for collecting lots of personal information about how
- people used it</a>.</p>
+ <li id="M201601130">
+ <p>Apps that include <a
+
href="http://techaeris.com/2016/01/13/symphony-advanced-media-software-tracks-your-digital-life-through-your-smartphone-mic/">
+ Symphony surveillance software snoop on what radio and TV programs
+ are playing nearby</a>. Also on what users post on various sites
+ such as Facebook, Google+ and Twitter.</p>
+ </li>
- <p>The company's statement that it was anonymizing the data may be
- true, but it doesn't really matter. If it had sold the data to a
- data broker, the data broker would have been able to figure out
- who the user was.</p>
+ <li id="M201511190">
+ <p>“Cryptic communication,”
+ unrelated to the app's functionality, was <a
+ href="http://news.mit.edu/2015/data-transferred-android-apps-hiding-1119">
+ found in the 500 most popular gratis Android apps</a>.</p>
+
+ <p>The article should not have described these apps as
+ “free”—they are not free software. The clear way
+ to say “zero price” is “gratis.”</p>
- <p>Following this lawsuit,
- <a
href="https://www.theguardian.com/technology/2017/mar/14/we-vibe-vibrator-tracking-users-sexual-habits">
- the company has been ordered to pay a total of C$4m</a>
- to its customers.</p>
+ <p>The article takes for granted that the usual analytics tools are
+ legitimate, but is that valid? Software developers have no right to
+ analyze what users are doing or how. “Analytics” tools
+ that snoop are just as wrong as any other snooping.</p>
</li>
- <li><p> “CloudPets” toys with microphones <a
-
href="https://www.theguardian.com/technology/2017/feb/28/cloudpets-data-breach-leaks-details-of-500000-children-and-adults">
- leak childrens' conversations to the manufacturer</a>. Guess what? <a
-
href="https://motherboard.vice.com/en_us/article/pgwean/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings">
- Crackers found a way to access the data</a> collected by the
- manufacturer's snooping.</p>
+ <li id="M201510300">
+ <p>More than 73% and 47% of mobile applications, from Android and iOS
+ respectively <a href="https://techscience.org/a/2015103001/">share
+ personal, behavioral and location information</a> of their users with
+ third parties.</p>
+ </li>
+
+ <li id="M201508210">
+ <p>Like most “music screaming” disservices, Spotify is
+ based on proprietary malware (DRM and snooping). In August 2015 it <a
+
href="http://www.theguardian.com/technology/2015/aug/21/spotify-faces-user-backlash-over-new-privacy-policy">
+ demanded users submit to increased snooping</a>, and some are starting
+ to realize that it is nasty.</p>
- <p>That the manufacturer and the FBI could listen to these conversations
- was unacceptable by itself.</p></li>
+ <p>This article shows the <a
+
href="https://www.theregister.co.uk/2015/08/21/spotify_worse_than_the_nsa/">
+ twisted ways that they present snooping as a way to “serve”
+ users better</a>—never mind whether they want that. This is a
+ typical example of the attitude of the proprietary software industry
+ towards those they have subjugated.</p>
- <li><p>Barbie
- <a
href="http://www.mirror.co.uk/news/technology-science/technology/wi-fi-spy-barbie-records-childrens-5177673">is
going to spy on children and adults</a>.</p>
+ <p>Out, out, damned Spotify!</p>
</li>
-</ul>
+ <li id="M201506264">
+ <p><a
+
href="http://www.privmetrics.org/wp-content/uploads/2015/06/wisec2015.pdf">A
+ study in 2015</a> found that 90% of the top-ranked gratis proprietary
+ Android apps contained recognizable tracking libraries. For the paid
+ proprietary apps, it was only 60%.</p>
+
+ <p>The article confusingly describes gratis apps as
+ “free”, but most of them are not in fact <a
+ href="/philosophy/free-sw.html">free software</a>. It also uses the
+ ugly word “monetize”. A good replacement for that word
+ is “exploit”; nearly always that will fit perfectly.</p>
+ </li>
+
+ <li id="M201505060">
+ <p>Gratis Android apps (but not <a
+ href="/philosophy/free-sw.html">free software</a>) connect to 100 <a
+
href="http://www.theguardian.com/technology/2015/may/06/free-android-apps-connect-tracking-advertising-websites">tracking
+ and advertising</a> URLs, on the average.</p>
+ </li>
+
+ <li id="M201504060">
+ <p>Widely used <a
+
href="https://freedom-to-tinker.com/blog/kollarssmith/scan-this-or-scan-me-user-privacy-barcode-scanning-applications/">proprietary
+ QR-code scanner apps snoop on the user</a>. This is in addition to
+ the snooping done by the phone company, and perhaps by the OS in
+ the phone.</p>
-<!-- #SpywareOnWearables -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
+ <p>Don't be distracted by the question of whether the app developers
+ get users to say “I agree”. That is no excuse for
+ malware.</p>
+ </li>
-<div class="big-section">
- <h3 id="SpywareOnWearables">Spyware on Wearables</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareOnWearables">#SpywareOnWearables</a>)</span>
-</div>
-<div style="clear: left;"></div>
+ <li id="M201411260">
+ <p>Many proprietary apps for mobile devices
+ report which other apps the user has installed. <a
+ href="http://techcrunch.com/2014/11/26/twitter-app-graph/">Twitter
+ is doing this in a way that at least is visible and optional</a>. Not
+ as bad as what the others do.</p>
+ </li>
-<ul>
- <li><p>Tommy Hilfiger
- clothing <a
href="https://www.theguardian.com/fashion/2018/jul/26/tommy-hilfiger-new-clothing-line-monitor-customers">will
- monitor how often people wear it</a>.</p>
+ <li id="M201401151">
+ <p>The Simeji keyboard is a smartphone version of Baidu's <a
+ href="/proprietary/#baidu-ime">spying <abbr
+ title="Input Method Editor">IME</abbr></a>.</p>
+ </li>
- <p>This will teach the sheeple to find it normal that companies
- monitor every aspect of what they do.</p>
+ <li id="M201312270">
+ <p>The nonfree Snapchat app's principal purpose is to restrict the
+ use of data on the user's computer, but it does surveillance too: <a
+
href="http://www.theguardian.com/media/2013/dec/27/snapchat-may-be-exposed-hackers">
+ it tries to get the user's list of other people's phone
+ numbers</a>.</p>
+ </li>
+
+ <li id="M201312060">
+ <p>The Brightest Flashlight app <a
+
href="http://www.theguardian.com/technology/2013/dec/06/android-app-50m-downloads-sent-data-advertisers">
+ sends user data, including geolocation, for use by companies</a>.</p>
+
+ <p>The FTC criticized this app because it asked the user to
+ approve sending personal data to the app developer but did not ask
+ about sending it to other companies. This shows the weakness of
+ the reject-it-if-you-dislike-snooping “solution” to
+ surveillance: why should a flashlight app send any information to
+ anyone? A free software flashlight app would not.</p>
+ </li>
+
+ <li id="M201212100">
+ <p>FTC says most mobile apps for children don't respect privacy: <a
+
href="http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/">
+
http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/</a>.</p>
</li>
</ul>
+
<div class="big-subsection">
- <h3 id="SpywareOnSmartWatches">Spyware on “Smart” Watches</h3>
- <span class="anchor-reference-id">
- (<a href="#SpywareOnSmartWatches">#SpywareOnSmartWatches</a>)</span>
+ <h4 id="SpywareInSkype">Skype</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInSkype">#SpywareInSkype</a>)</span>
</div>
-<ul>
- <li>
- <p>An LG “smart” watch is designed
- <a
href="http://www.huffingtonpost.co.uk/2014/07/09/lg-kizon-smart-watch_n_5570234.html">
- to report its location to someone else and to transmit
- conversations too</a>.</p>
- </li>
- <li>
- <p>A very cheap “smart watch” comes with an Android app
- <a
href="https://www.theregister.co.uk/2016/03/02/chinese_backdoor_found_in_ebays_popular_cheap_smart_watch/">
- that connects to an unidentified site in China</a>.</p>
- <p>The article says this is a back door, but that could be a
- misunderstanding. However, it is certainly surveillance, at
- least.</p>
+<ul class="blurbs">
+ <li id="M201307110">
+ <p>Skype contains <a
+
href="https://web.archive.org/web/20130928235637/http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/">spyware</a>.
+ Microsoft changed Skype <a
+
href="http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data">
+ specifically for spying</a>.</p>
</li>
</ul>
-<!-- #SpywareAtLowLevel -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
-<div class="big-section">
- <h3 id="SpywareAtLowLevel">Spyware at Low Level</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareAtLowLevel">#SpywareAtLowLevel</a>)</span>
+<div class="big-subsection">
+ <h4 id="SpywareInGames">Games</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInGames">#SpywareInGames</a>)</span>
</div>
-<div style="clear: left;"></div>
+<ul class="blurbs">
+ <li id="M201806240">
+ <p>Red Shell is a spyware that
+ is found in many proprietary games. It <a
+
href="https://nebulous.cloud/threads/red-shell-illegal-spyware-for-steam-games.31924/">
+ tracks data on users' computers and sends it to third parties</a>.</p>
+ </li>
-<div class="big-subsection">
- <h4 id="SpywareInBIOS">Spyware in BIOS</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInBIOS">#SpywareInBIOS</a>)</span>
-</div>
+ <li id="M201804144">
+ <p>ArenaNet surreptitiously installed a spyware
+ program along with an update to the massive
+ multiplayer game Guild War 2. The spyware allowed ArenaNet <a
+
href="https://techraptor.net/content/arenanet-used-spyware-anti-cheat-for-guild-wars-2-banwave">
+ to snoop on all open processes running on its user's computer</a>.</p>
+ </li>
+
+ <li id="M201711070">
+ <p>The driver for a certain gaming keyboard <a
+
href="https://thehackernews.com/2017/11/mantistek-keyboard-keylogger.html">sends
+ information to China</a>.</p>
+ </li>
+
+ <li id="M201611070">
+ <p>nVidia's proprietary GeForce Experience <a
+
href="http://www.gamersnexus.net/industry/2672-geforce-experience-data-transfer-analysis">makes
+ users identify themselves and then sends personal data about them to
+ nVidia servers</a>.</p>
+ </li>
-<ul>
-<li><p>
-<a
href="http://www.computerworld.com/article/2984889/windows-pcs/lenovo-collects-usage-data-on-thinkpad-thinkcentre-and-thinkstation-pcs.html">
-Lenovo stealthily installed crapware and spyware via BIOS</a> on Windows
installs.
-Note that the specific sabotage method Lenovo used did not affect
-GNU/Linux; also, a “clean” Windows install is not really
-clean since <a href="/proprietary/malware-microsoft.html">Microsoft
-puts in its own malware</a>.
-</p></li>
+ <li id="M201512290">
+ <p>Many <a
+
href="http://www.thestar.com/news/canada/2015/12/29/how-much-data-are-video-games-collecting-about-you.html/">
+ video game consoles snoop on their users and report to the
+ internet</a>—even what their users weigh.</p>
+
+ <p>A game console is a computer, and you can't trust a computer with
+ a nonfree operating system.</p>
+ </li>
+
+ <li id="M201509160">
+ <p>Modern gratis game cr…apps <a
+
href="http://toucharcade.com/2015/09/16/we-own-you-confessions-of-a-free-to-play-producer/">
+ collect a wide range of data about their users and their users'
+ friends and associates</a>.</p>
+
+ <p>Even nastier, they do it through ad networks that merge the data
+ collected by various cr…apps and sites made by different
+ companies.</p>
+
+ <p>They use this data to manipulate people to buy things, and hunt for
+ “whales” who can be led to spend a lot of money. They also
+ use a back door to manipulate the game play for specific players.</p>
+
+ <p>While the article describes gratis games, games that cost money
+ can use the same tactics.</p>
+ </li>
+
+ <li id="M201401280">
+ <p>Angry Birds <a
+
href="http://www.nytimes.com/2014/01/28/world/spy-agencies-scour-phone-apps-for-personal-data.html">
+ spies for companies, and the NSA takes advantage
+ to spy through it too</a>. Here's information on <a
+
href="http://confabulator.blogspot.com/2012/11/analysis-of-what-information-angry.html">
+ more spyware apps</a>.</p>
+
+ <p><a
+
href="http://www.propublica.org/article/spy-agencies-probe-angry-birds-and-other-apps-for-personal-data">
+ More about NSA app spying</a>.</p>
+ </li>
+
+ <li id="M200510200">
+ <p>Blizzard Warden is a hidden
+ “cheating-prevention” program that <a
+ href="https://www.eff.org/deeplinks/2005/10/new-gaming-feature-spyware">
+ spies on every process running on a gamer's computer and sniffs a
+ good deal of personal data</a>, including lots of activities which
+ have nothing to do with cheating.</p>
+ </li>
</ul>
-<!-- #SpywareAtWork -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
+
<div class="big-section">
- <h3 id="SpywareAtWork">Spyware at Work</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareAtWork">#SpywareAtWork</a>)</span>
+ <h3 id="SpywareInEquipment">Spyware in Connected Equipment</h3>
+ <span class="anchor-reference-id">(<a
href="#SpywareInEquipment">#SpywareInEquipment</a>)</span>
</div>
<div style="clear: left;"></div>
-<ul>
- <li><p>Investigation
- Shows <a
href="https://www.techdirt.com/articles/20160602/17210734610/investigation-shows-gchq-using-us-companies-nsa-to-route-around-domestic-surveillance-restrictions.shtml">GCHQ
- Using US Companies, NSA To Route Around Domestic Surveillance
- Restrictions</a>.</p>
+<ul class="blurbs">
+ <li id="M201708280">
+ <p>The bad security in many Internet of Stings devices allows <a
+
href="https://www.techdirt.com/articles/20170828/08152938092/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you.shtml">ISPs
+ to snoop on the people that use them</a>.</p>
- <p>Specifically, it can collect the emails of members of Parliament
- this way, because they pass it through Microsoft.</p></li>
+ <p>Don't be a sucker—reject all the stings.</p>
- <li><p>Spyware in Cisco TNP IP phones:
- <a
href="http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html">
-
http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html</a></p>
+ <p>It is unfortunate that the article uses the term <a
+
href="/philosophy/words-to-avoid.html#Monetize">“monetize”</a>.</p>
</li>
</ul>
<div class="big-subsection">
- <h4 id="SpywareInSkype">Spyware in Skype</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInSkype">#SpywareInSkype</a>)</span>
+ <h4 id="SpywareInTVSets">TV Sets</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInTVSets">#SpywareInTVSets</a>)</span>
</div>
-<ul>
- <li><p>Spyware in Skype:
- <a
href="http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/">
-
http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/</a>.
- Microsoft changed Skype
- <a
href="http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data">
- specifically for spying</a>.</p>
+<p>Emo Phillips made a joke: The other day a woman came up to me and
+said, “Didn't I see you on television?” I said, “I
+don't know. You can't see out the other way.” Evidently that was
+before Amazon “smart” TVs.</p>
+
+<ul class="blurbs">
+ <li id="M201804010">
+ <p>Some “Smart” TVs automatically <a
+
href="https://web.archive.org/web/20180405014828/https:/twitter.com/buro9/status/980349887006076928">
+ load downgrades that install a surveillance app</a>.</p>
+
+ <p>We link to the article for the facts it presents. It
+ is too bad that the article finishes by advocating the
+ moral weakness of surrendering to Netflix. The Netflix app <a
+ href="/proprietary/malware-google.html#netflix-app-geolocation-drm">is
+ malware too</a>.</p>
</li>
-</ul>
+ <li id="M201702060">
+ <p>Vizio “smart” <a
+
href="https://www.ftc.gov/news-events/blogs/business-blog/2017/02/what-vizio-was-doing-behind-tv-screen">TVs
+ report everything that is viewed on them, and not just broadcasts and
+ cable</a>. Even if the image is coming from the user's own computer,
+ the TV reports what it is. The existence of a way to disable the
+ surveillance, even if it were not hidden as it was in these TVs,
+ does not legitimize the surveillance.</p>
+ </li>
+
+ <li id="M201511130">
+ <p>Some web and TV advertisements play inaudible
+ sounds to be picked up by proprietary malware running
+ on other devices in range so as to determine that they
+ are nearby. Once your Internet devices are paired with
+ your TV, advertisers can correlate ads with Web activity, and other <a
+
href="http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/">
+ cross-device tracking</a>.</p>
+ </li>
+
+ <li id="M201511060">
+ <p>Vizio goes a step further than other TV
+ manufacturers in spying on their users: their <a
+
href="http://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you">
+ “smart” TVs analyze your viewing habits in detail and
+ link them your IP address</a> so that advertisers can track you
+ across devices.</p>
+ <p>It is possible to turn this off, but having it enabled by default
+ is an injustice already.</p>
+ </li>
-<!-- #SpywareOnTheRoad -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
+ <li id="M201511020">
+ <p>Tivo's alliance with Viacom adds 2.3 million households
+ to the 600 millions social media profiles the company
+ already monitors. Tivo customers are unaware they're
+ being watched by advertisers. By combining TV viewing
+ information with online social media participation, Tivo can now <a
+ href="http://www.reuters.com/article/viacom-tivo-idUSL1N12U1VV20151102">
+ correlate TV advertisement with online purchases</a>, exposing all
+ users to new combined surveillance by default.</p>
+ </li>
+
+ <li id="M201507240">
+ <p>Vizio “smart” TVs recognize and <a
+ href="http://www.engadget.com/2015/07/24/vizio-ipo-inscape-acr/">track
+ what people are watching</a>, even if it isn't a TV channel.</p>
+ </li>
+
+ <li id="M201505290">
+ <p>Verizon cable TV <a
+
href="http://arstechnica.com/business/2015/05/verizon-fios-reps-know-what-tv-channels-you-watch/">
+ snoops on what programs people watch, and even what they wanted to
+ record</a>.</p>
+ </li>
+
+ <li id="M201504300">
+ <p>Vizio <a
+ href="http://boingboing.net/2015/04/30/telescreen-watch-vizio-adds-s.html">
+ used a firmware “upgrade” to make its TVs snoop on what
+ users watch</a>. The TVs did not do that when first sold.</p>
+ </li>
+
+ <li id="M201502090">
+ <p>The Samsung “Smart” TV <a
+
href="http://www.consumerreports.org/cro/news/2015/02/who-s-the-third-party-that-samsung-and-lg-smart-tvs-are-sharing-your-voice-data-with/index.htm">
+ transmits users' voice on the internet to another company, Nuance</a>.
+ Nuance can save it and would then have to give it to the US or some
+ other government.</p>
+
+ <p>Speech recognition is not to be trusted unless it is done by free
+ software in your own computer.</p>
+
+ <p>In its privacy policy, Samsung explicitly confirms that <a
+
href="http://theweek.com/speedreads/538379/samsung-warns-customers-not-discuss-personal-information-front-smart-tvs">voice
+ data containing sensitive information will be transmitted to third
+ parties</a>.</p>
+ </li>
+
+ <li id="M201411090">
+ <p>The Amazon “Smart” TV is <a
+
href="http://www.theguardian.com/technology/shortcuts/2014/nov/09/amazon-echo-smart-tv-watching-listening-surveillance">
+ snooping all the time</a>.</p>
+ </li>
+
+ <li id="M201409290">
+ <p>More or less all “smart” TVs <a
+
href="http://www.myce.com/news/reseachers-all-smart-tvs-spy-on-you-sony-monitors-all-channel-switches-72851/">spy
+ on their users</a>.</p>
+
+ <p>The report was as of 2014, but we don't expect this has got
+ better.</p>
+
+ <p>This shows that laws requiring products to get users' formal
+ consent before collecting personal data are totally inadequate.
+ And what happens if a user declines consent? Probably the TV will
+ say, “Without your consent to tracking, the TV will not
+ work.”</p>
+
+ <p>Proper laws would say that TVs are not allowed to report what the
+ user watches—no exceptions!</p>
+ </li>
+
+ <li id="M201405200">
+ <p>Spyware in LG “smart” TVs <a
+
href="http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html">
+ reports what the user watches, and the switch to turn this off has
+ no effect</a>. (The fact that the transmission reports a 404 error
+ really means nothing; the server could save that data anyway.)</p>
+
+ <p>Even worse, it <a
+
href="http://rambles.renney.me/2013/11/lg-tv-logging-filenames-from-network-folders/">
+ snoops on other devices on the user's local network</a>.</p>
+
+ <p>LG later said it had installed a patch to stop this, but any
+ product could spy this way.</p>
+
+ <p>Meanwhile, LG TVs <a
+
href="http://www.techdirt.com/articles/20140511/17430627199/lg-will-take-smart-out-your-smart-tv-if-you-dont-agree-to-share-your-viewing-search-data-with-third-parties.shtml">
+ do lots of spying anyway</a>.</p>
+ </li>
+
+ <li id="M201212170">
+ <p id="break-security-smarttv"><a
+
href="http://www.dailymail.co.uk/sciencetech/article-2249303/Hackers-penetrate-home-Crack-Samsungs-Smart-TV-allows-attacker-seize-control-microphone-cameras.html">
+ Crackers found a way to break security on a “smart” TV</a>
+ and use its camera to watch the people who are watching TV.</p>
+ </li>
+</ul>
-<div class="big-section">
- <h3 id="SpywareOnTheRoad">Spyware on The Road</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareOnTheRoad">#SpywareOnTheRoad</a>)</span>
-</div>
-<div style="clear: left;"></div>
<div class="big-subsection">
- <h4 id="SpywareInCameras">Spyware in Cameras</h4>
+ <h4 id="SpywareInCameras">Cameras</h4>
<span class="anchor-reference-id">(<a
href="#SpywareInCameras">#SpywareInCameras</a>)</span>
</div>
-<ul>
- <li>
- <p>Every “home security” camera, if its manufacturer can
communicate with it,
- is a surveillance device. <a
-href="https://www.theverge.com/circuitbreaker/2017/10/4/16426394/canary-smart-home-camera-free-service-update-change">
+<ul class="blurbs">
+ <li id="M201710040">
+ <p>Every “home security” camera, if its
+ manufacturer can communicate with it, is a surveillance device. <a
+
href="https://www.theverge.com/circuitbreaker/2017/10/4/16426394/canary-smart-home-camera-free-service-update-change">
Canary camera is an example</a>.</p>
- <p>The article describes wrongdoing by the manufacturer, based on the fact
- that the device is tethered to a server.</p>
- <p><a href="/proprietary/proprietary-tethers.html">More about proprietary
tethering</a>.</p>
+
+ <p>The article describes wrongdoing by the manufacturer, based on
+ the fact that the device is tethered to a server.</p>
+
+ <p><a href="/proprietary/proprietary-tethers.html">More about
+ proprietary tethering</a>.</p>
+
<p>But it also demonstrates that the device gives the company
surveillance capability.</p>
</li>
- <li>
+ <li id="M201603220">
+ <p>Over 70 brands of network-connected surveillance cameras have <a
+
href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html">
+ security bugs that allow anyone to watch through them</a>.</p>
+ </li>
+
+ <li id="M201511250">
<p>The Nest Cam “smart” camera is <a
- href="http://www.bbc.com/news/technology-34922712">always
- watching</a>, even when the “owner” switches it
“off.”</p>
- <p>A “smart” device means the manufacturer is using it to
outsmart
- you.</p>
+ href="http://www.bbc.com/news/technology-34922712">always watching</a>,
+ even when the “owner” switches it “off.”</p>
+
+ <p>A “smart” device means the manufacturer is using it
+ to outsmart you.</p>
</li>
</ul>
+
<div class="big-subsection">
- <h4 id="SpywareInElectronicReaders">Spyware in e-Readers</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInElectronicReaders">#SpywareInElectronicReaders</a>)</span>
+ <h4 id="SpywareInToys">Toys</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInToys">#SpywareInToys</a>)</span>
</div>
-<ul>
- <li><p>E-books can contain JavaScript code,
- and <a
href="http://www.theguardian.com/books/2016/mar/08/men-make-up-their-minds-about-books-faster-than-women-study-finds">sometimes
- this code snoops on readers</a>.</p>
+<ul class="blurbs">
+ <li id="M201711244">
+ <p>The Furby Connect has a <a
+
href="https://www.contextis.com/blog/dont-feed-them-after-midnight-reverse-engineering-the-furby-connect">
+ universal back door</a>. If the product as shipped doesn't act as a
+ listening device, remote changes to the code could surely convert it
+ into one.</p>
+ </li>
+
+ <li id="M201711100">
+ <p>A remote-control sex toy was found to make <a
+
href="https://www.theverge.com/2017/11/10/16634442/lovense-sex-toy-spy-survei">audio
+ recordings of the conversation between two users</a>.</p>
+ </li>
+
+ <li id="M201703140">
+ <p>A computerized vibrator <a
+
href="https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack">
+ was snooping on its users through the proprietary control app</a>.</p>
+
+ <p>The app was reporting the temperature of the vibrator minute by
+ minute (thus, indirectly, whether it was surrounded by a person's
+ body), as well as the vibration frequency.</p>
+
+ <p>Note the totally inadequate proposed response: a labeling
+ standard with which manufacturers would make statements about their
+ products, rather than free software which users could have checked
+ and changed.</p>
+
+ <p>The company that made the vibrator <a
+
href="https://www.theguardian.com/us-news/2016/sep/14/wevibe-sex-toy-data-collection-chicago-lawsuit">
+ was sued for collecting lots of personal information about how people
+ used it</a>.</p>
+
+ <p>The company's statement that it was anonymizing the data may be
+ true, but it doesn't really matter. If it had sold the data to a data
+ broker, the data broker would have been able to figure out who the
+ user was.</p>
+
+ <p>Following this lawsuit, <a
+
href="https://www.theguardian.com/technology/2017/mar/14/we-vibe-vibrator-tracking-users-sexual-habits">
+ the company has been ordered to pay a total of C$4m</a> to its
+ customers.</p>
</li>
- <li><p>Spyware in many e-readers—not only the
- Kindle: <a href="https://www.eff.org/pages/reader-privacy-chart-2012">
- they report even which page the user reads at what time</a>.</p>
+ <li id="M201702280">
+ <p>“CloudPets” toys with microphones <a
+
href="https://www.theguardian.com/technology/2017/feb/28/cloudpets-data-breach-leaks-details-of-500000-children-and-adults">
+ leak childrens' conversations to the manufacturer</a>. Guess what? <a
+
href="https://motherboard.vice.com/en_us/article/pgwean/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings">
+ Crackers found a way to access the data</a> collected by the
+ manufacturer's snooping.</p>
+
+ <p>That the manufacturer and the FBI could listen to these
+ conversations was unacceptable by itself.</p>
</li>
- <li><p>Adobe made “Digital Editions,” the e-reader used
- by most US libraries,
- <a
href="http://www.computerworlduk.com/blogs/open-enterprise/drm-strikes-again-3575860/">
- send lots of data to Adobe</a>. Adobe's “excuse”: it's
- needed to check DRM!</p>
+ <li id="M201612060">
+ <p>The “smart” toys My Friend Cayla and i-Que transmit <a
+
href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws">children's
+ conversations to Nuance Communications</a>, a speech recognition
+ company based in the U.S.</p>
+
+ <p>Those toys also contain major security vulnerabilities; crackers
+ can remotely control the toys with a mobile phone. This would enable
+ crackers to listen in on a child's speech, and even speak into the
+ toys themselves.</p>
+ </li>
+
+ <li id="M201502180">
+ <p>Barbie <a
+
href="http://www.mirror.co.uk/news/technology-science/technology/wi-fi-spy-barbie-records-childrens-5177673">is
+ going to spy on children and adults</a>.</p>
</li>
</ul>
+
<div class="big-subsection">
- <h4 id="SpywareInVehicles">Spyware in Vehicles</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInVehicles">#SpywareInVehicles</a>)</span>
+ <h4 id="SpywareInDrones">Drones</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInDrones">#SpywareInDrones</a>)</span>
</div>
-<ul>
-<li><p>Computerized cars with nonfree software are
- <a
href="http://www.thelowdownblog.com/2016/07/your-cars-been-studying-you-closely-and.html">
- snooping devices</a>.</p>
- </li>
-
- <li id="nissan-modem"><p>The Nissan Leaf has a built-in cell phone modem
which allows
- effectively
- anyone <a
href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/">to
- access its computers remotely and make changes in various
- settings</a>.</p>
-
- <p>That's easy to do because the system has no authentication when
- accessed through the modem. However, even if it asked for
- authentication, you couldn't be confident that Nissan has no
- access. The software in the car is
- proprietary, <a
href="/philosophy/free-software-even-more-important.html">which
- means it demands blind faith from its users</a>.</p>
-
- <p>Even if no one connects to the car remotely, the cell phone
- modem enables the phone company to track the car's movements all
- the time; it is possible to physically remove the cell phone modem
- though.</p>
- </li>
-
- <li id="records-drivers"><p>Proprietary software in cars
- <a
href="http://www.usatoday.com/story/money/cars/2013/03/24/car-spying-edr-data-privacy/1991751/">records
information about drivers' movements</a>,
- which is made available to car manufacturers, insurance companies, and
- others.</p>
-
- <p>The case of toll-collection systems, mentioned in this article, is not
- really a matter of proprietary surveillance. These systems are an
- intolerable invasion of privacy, and should be replaced with anonymous
- payment systems, but the invasion isn't done by malware. The other
- cases mentioned are done by proprietary malware in the car.</p></li>
-
- <li><p>Tesla cars allow the company to extract data remotely and
- determine the car's location at any time. (See
- <a
href="http://www.teslamotors.com/sites/default/files/pdfs/tmi_privacy_statement_external_6-14-2013_v2.pdf">
- Section 2, paragraphs b and c.</a>). The company says it doesn't
- store this information, but if the state orders it to get the data
- and hand it over, the state can store it.</p>
+<ul class="blurbs">
+ <li id="M201708040">
+ <p>While you're using a DJI drone
+ to snoop on other people, DJI is in many cases <a
+
href="https://www.theverge.com/2017/8/4/16095244/us-army-stop-using-dji-drones-cybersecurity">snooping
+ on you</a>.</p>
</li>
</ul>
-<!-- #SpywareAtHome -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
-
-<div class="big-section">
- <h3 id="SpywareAtHome">Spyware at Home</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareAtHome">#SpywareAtHome</a>)</span>
+<div class="big-subsection">
+ <h4 id="SpywareAtHome">Other Appliances</h4><span
class="anchor-reference-id">(<a href="#SpywareAtHome">#SpywareAtHome</a>)</span>
</div>
-<div style="clear: left;"></div>
-<ul>
- <li>
+<ul class="blurbs">
+ <li id="M201808120">
<p>Crackers found a way to break the security of an Amazon device,
- and <a
- href="https://boingboing.net/2018/08/12/alexa-bob-carol.html">
- turn it into a listening device for them</a>.</p>
+ and <a href="https://boingboing.net/2018/08/12/alexa-bob-carol.html">
+ turn it into a listening device</a> for them.</p>
<p>It was very difficult for them to do this. The job would be much
- easier for Amazon. And if some government such as China or the
- US told Amazon to do this, or cease to sell the product in that
- country, do you think Amazon would have the moral fiber to say
- no?</p>
+ easier for Amazon. And if some government such as China or the US
+ told Amazon to do this, or cease to sell the product in that country,
+ do you think Amazon would have the moral fiber to say no?</p>
<p>These crackers are probably hackers too, but please <a
- href="https://stallman.org/articles/on-hacking.html">
- don't use “hacking” to mean “breaking
- security”</a>.</p>
+ href="https://stallman.org/articles/on-hacking.html"> don't use
+ “hacking” to mean “breaking security”</a>.</p>
</li>
- <li><p>A medical insurance
- company <a
href="https://wolfstreet.com/2018/04/14/our-dental-insurance-sent-us-free-internet-connected-toothbrushes-and-this-is-what-happened-next">
- offers a gratis electronic toothbrush that snoops on its user
- by sending usage data back over the Internet</a>.</p>
+ <li id="M201804140">
+ <p>A medical insurance company <a
+
href="https://wolfstreet.com/2018/04/14/our-dental-insurance-sent-us-free-internet-connected-toothbrushes-and-this-is-what-happened-next">
+ offers a gratis electronic toothbrush that snoops on its user by
+ sending usage data back over the Internet</a>.</p>
</li>
- <li><p>Lots of “smart” products are
- designed <a
href="http://enews.cnet.com/ct/42931641:shoPz52LN:m:1:1509237774:B54C9619E39F7247C0D58117DD1C7E96:r:27417204357610908031812337994022">to
+ <li id="M201706204">
+ <p>Lots of “smart” products are designed <a
+
href="http://enews.cnet.com/ct/42931641:shoPz52LN:m:1:1509237774:B54C9619E39F7247C0D58117DD1C7E96:r:27417204357610908031812337994022">to
listen to everyone in the house, all the time</a>.</p>
- <p>Today's technological practice does not include any way of
- making a device that can obey your voice commands without
- potentially spying on you. Even if it is air-gapped, it could be
- saving up records about you for later examination.</p>
+ <p>Today's technological practice does not include any way of making
+ a device that can obey your voice commands without potentially spying
+ on you. Even if it is air-gapped, it could be saving up records
+ about you for later examination.</p>
</li>
- <li><p>Nest thermometers
- send <a href="http://bgr.com/2014/07/17/google-nest-jailbreak-hack">a
- lot of data about the user</a>.</p>
+ <li id="M201407170">
+ <p id="nest-thermometers">Nest thermometers send <a
+ href="http://bgr.com/2014/07/17/google-nest-jailbreak-hack">a lot of
+ data about the user</a>.</p>
</li>
- <li><p><a
href="http://consumerman.com/Rent-to-own%20giant%20accused%20of%20spying%20on%20its%20customers.htm">
+ <li id="M201310260">
+ <p><a
+
href="http://consumerman.com/Rent-to-own%20giant%20accused%20of%20spying%20on%20its%20customers.htm">
Rent-to-own computers were programmed to spy on their renters</a>.</p>
</li>
</ul>
<div class="big-subsection">
- <h4 id="SpywareInTVSets">Spyware in TV Sets</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInTVSets">#SpywareInTVSets</a>)</span>
+ <h4 id="SpywareOnWearables">Wearables</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareOnWearables">#SpywareOnWearables</a>)</span>
</div>
-<p>Emo Phillips made a joke: The other day a woman came up to me and
-said, “Didn't I see you on television?” I said, “I
-don't know. You can't see out the other way.” Evidently that was
-before Amazon “smart” TVs.</p>
-
-<ul>
- <li><p>Some “Smart” TVs
- automatically <a
href="https://news.ycombinator.com/item?id=16727319">load
- downgrades that install a surveillance app</a>.</p>
-
- <p>We link to the article for the facts it presents. It is too bad
- that the article finishes by advocating the moral weakness of
- surrendering to Netflix. The Netflix
- app <a
href="/proprietary/malware-google.html#netflix-app-geolocation-drm">is
- malware too</a>.</p>
- </li>
+<ul class="blurbs">
+ <li id="M201807260">
+ <p>Tommy Hilfiger clothing <a
+
href="https://www.theguardian.com/fashion/2018/jul/26/tommy-hilfiger-new-clothing-line-monitor-customers">will
+ monitor how often people wear it</a>.</p>
- <li>
- <p>Vizio
- “smart” <a
href="https://www.ftc.gov/news-events/blogs/business-blog/2017/02/what-vizio-was-doing-behind-tv-screen">TVs
- report everything that is viewed on them, and not just broadcasts
- and cable</a>. Even if the image is coming from the user's own
- computer, the TV reports what it is. The existence of a way to
- disable the surveillance, even if it were not hidden as it was in
- these TVs, does not legitimize the surveillance.</p>
+ <p>This will teach the sheeple to find it normal that companies
+ monitor every aspect of what they do.</p>
</li>
+</ul>
- <li><p>More or less all “smart” TVs <a
-href="http://www.myce.com/news/reseachers-all-smart-tvs-spy-on-you-sony-monitors-all-channel-switches-72851/">spy
- on their users</a>.</p>
-
- <p>The report was as of 2014, but we don't expect this has got better.</p>
- <p>This shows that laws requiring products to get users' formal
- consent before collecting personal data are totally inadequate.
- And what happens if a user declines consent? Probably the TV
- will say, “Without your consent to tracking, the TV will
- not work.”</p>
+<h5 id="SpywareOnSmartWatches">“Smart” Watches</h5>
- <p>Proper laws would say that TVs are not allowed to report what
- the user watches — no exceptions!</p>
- </li>
- <li><p>Vizio goes a step further than other TV manufacturers in spying on
- their users: their <a
href="http://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you">
- “smart” TVs analyze your viewing habits in detail and
- link them your IP address</a> so that advertisers can track you
- across devices.</p>
-
- <p>It is possible to turn this off, but having it enabled by default
- is an injustice already.</p>
- </li>
-
- <li><p>Tivo's alliance with Viacom adds 2.3 million households to
- the 600 millions social media profiles the company already
- monitors. Tivo customers are unaware they're being watched by
- advertisers. By combining TV viewing information with online
- social media participation, Tivo can now <a
href="http://www.reuters.com/article/viacom-tivo-idUSL1N12U1VV20151102">correlate
TV
- advertisement with online purchases</a>, exposing all users to
- new combined surveillance by default.</p></li>
- <li><p>Some web and TV advertisements play inaudible sounds to be
- picked up by proprietary malware running on other devices in
- range so as to determine that they are nearby. Once your
- Internet devices are paired with your TV, advertisers can
- correlate ads with Web activity, and
- other <a
href="http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/">cross-device
tracking</a>.</p>
- </li>
- <li><p>Vizio “smart” TVs recognize and
- <a
href="http://www.engadget.com/2015/07/24/vizio-ipo-inscape-acr/">track what
people are watching</a>,
- even if it isn't a TV channel.</p>
- </li>
- <li><p>The Amazon “Smart” TV
- <a
href="http://www.theguardian.com/technology/shortcuts/2014/nov/09/amazon-echo-smart-tv-watching-listening-surveillance">is
- snooping all the time</a>.</p>
- </li>
- <li><p>The Samsung “Smart” TV
- <a
href="http://www.consumerreports.org/cro/news/2015/02/who-s-the-third-party-that-samsung-and-lg-smart-tvs-are-sharing-your-voice-data-with/index.htm">transmits
users' voice on the internet to another
- company, Nuance</a>. Nuance can save it and would then have to
- give it to the US or some other government.</p>
- <p>Speech recognition is not to be trusted unless it is done
- by free software in your own computer.</p>
+<ul class="blurbs">
+ <li id="M201603020">
+ <p>A very cheap “smart watch” comes with an Android app <a
+
href="https://www.theregister.co.uk/2016/03/02/chinese_backdoor_found_in_ebays_popular_cheap_smart_watch/">
+ that connects to an unidentified site in China</a>.</p>
- <p>In its privacy policy, Samsung explicitly confirms
- that <a
href="http://theweek.com/speedreads/538379/samsung-warns-customers-not-discuss-personal-information-front-smart-tvs">voice
- data containing sensitive information will be transmitted to
- third parties</a>.</p>
+ <p>The article says this is a back door, but that could be a
+ misunderstanding. However, it is certainly surveillance, at least.</p>
</li>
- <li><p>Spyware in
- <a
href="http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html">
- LG “smart” TVs</a> reports what the user watches, and
- the switch to turn this off has no effect. (The fact that the
- transmission reports a 404 error really means nothing; the server
- could save that data anyway.)</p>
-
- <p>Even worse, it
- <a
href="http://rambles.renney.me/2013/11/lg-tv-logging-filenames-from-network-folders/">
- snoops on other devices on the user's local network.</a></p>
-
- <p>LG later said it had installed a patch to stop this, but any product
- could spy this way.</p>
- <p>Meanwhile, LG TVs
- <a
href="http://www.techdirt.com/articles/20140511/17430627199/lg-will-take-smart-out-your-smart-tv-if-you-dont-agree-to-share-your-viewing-search-data-with-third-parties.shtml">
do lots of spying anyway</a>.</p>
- </li>
- <li>
- <p><a
href="http://arstechnica.com/business/2015/05/verizon-fios-reps-know-what-tv-channels-you-watch/">Verizon
cable TV snoops on what programs people watch, and even what they wanted to
record.</a></p>
+ <li id="M201407090">
+ <p>An LG “smart” watch is designed <a
+
href="http://www.huffingtonpost.co.uk/2014/07/09/lg-kizon-smart-watch_n_5570234.html">
+ to report its location to someone else and to transmit conversations
+ too</a>.</p>
</li>
</ul>
-<!-- #SpywareInGames -->
-<div class="big-section">
- <h3 id="SpywareInGames">Spyware in Games</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareInGames">#SpywareInGames</a>)</span>
-</div>
-<div style="clear: left;"></div>
-
-<ul>
- <li>
- <p>Red Shell is a spyware that is found in many proprietary games. It <a
-
href="https://nebulous.cloud/threads/red-shell-illegal-spyware-for-steam-games.31924/">
- tracks data on users' computers and sends it to third parties</a>.</p>
- </li>
-
- <li>
- <p>Blizzard Warden is a hidden “cheating-prevention” program
- that <a
- href="https://www.eff.org/deeplinks/2005/10/new-gaming-feature-spyware">
- spies on every process running on a gamer's computer and sniffs a
- good deal of personal data</a>, including lots of activities which
- have nothing to do with cheating.</p>
- </li>
-
- <li>
- <p>ArenaNet surreptitiously installed a spyware program along with an
- update to the massive multiplayer game Guild War 2. The spyware
- allowed ArenaNet <a
href="https://techraptor.net/content/arenanet-used-spyware-anti-cheat-for-guild-wars-2-banwave">
- to snoop on all open processes running on its user's
- computer</a>.</p>
- </li>
- <li>
- <p>The driver for a certain gaming keyboard <a
href="https://thehackernews.com/2017/11/mantistek-keyboard-keylogger.html">sends
information
- to China</a>.</p>
- </li>
+<div class="big-subsection">
+ <h4 id="SpywareInVehicles">Vehicles</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInVehicles">#SpywareInVehicles</a>)</span>
+</div>
- <li><p>nVidia's proprietary GeForce Experience <a
href="http://www.gamersnexus.net/industry/2672-geforce-experience-data-transfer-analysis">makes
- users identify themselves and then sends personal data about them to
- nVidia servers</a>.</p>
+<ul class="blurbs">
+ <li id="M201711230">
+ <p>AI-powered driving apps can <a
+
href="https://motherboard.vice.com/en_us/article/43nz9p/ai-powered-driving-apps-can-track-your-every-move">
+ track your every move</a>.</p>
</li>
- <li><p>Angry Birds
- <a
href="http://www.nytimes.com/2014/01/28/world/spy-agencies-scour-phone-apps-for-personal-data.html">
- spies for companies, and the NSA takes advantage to spy through it
too</a>.
- Here's information on
- <a
href="http://confabulator.blogspot.com/2012/11/analysis-of-what-information-angry.html">
- more spyware apps</a>.</p>
- <p><a
href="http://www.propublica.org/article/spy-agencies-probe-angry-birds-and-other-apps-for-personal-data">
- More about NSA app spying</a>.</p>
+ <li id="M201607160">
+ <p>Computerized cars with nonfree software are <a
+
href="http://www.thelowdownblog.com/2016/07/your-cars-been-studying-you-closely-and.html">
+ snooping devices</a>.</p>
</li>
- <li><p>Many
- <a
href="http://www.thestar.com/news/canada/2015/12/29/how-much-data-are-video-games-collecting-about-you.html/">
- video game consoles snoop on their users and report to the
- internet</a>— even what their users weigh.</p>
+ <li id="M201602240">
+ <p id="nissan-modem">The Nissan Leaf has a built-in
+ cell phone modem which allows effectively anyone to <a
+ href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/">
+ access its computers remotely and make changes in various
+ settings</a>.</p>
- <p>A game console is a computer, and you can't trust a computer with
- a nonfree operating system.</p>
+ <p>That's easy to do because the system has no authentication
+ when accessed through the modem. However, even if it asked
+ for authentication, you couldn't be confident that Nissan
+ has no access. The software in the car is proprietary, <a
+ href="/philosophy/free-software-even-more-important.html">which means
+ it demands blind faith from its users</a>.</p>
+
+ <p>Even if no one connects to the car remotely, the cell phone modem
+ enables the phone company to track the car's movements all the time;
+ it is possible to physically remove the cell phone modem, though.</p>
+ </li>
+
+ <li id="M201306140">
+ <p>Tesla cars allow the company to extract
+ data remotely and determine the car's location
+ at any time. (See Section 2, paragraphs b and c of the <a
+
href="http://www.teslamotors.com/sites/default/files/pdfs/tmi_privacy_statement_external_6-14-2013_v2.pdf">
+ privacy statement</a>.) The company says it doesn't store this
+ information, but if the state orders it to get the data and hand it
+ over, the state can store it.</p>
+ </li>
+
+ <li id="M201303250">
+ <p id="records-drivers">Proprietary software in cars <a
+
href="http://www.usatoday.com/story/money/cars/2013/03/24/car-spying-edr-data-privacy/1991751/">
+ records information about drivers' movements</a>, which is made
+ available to car manufacturers, insurance companies, and others.</p>
+
+ <p>The case of toll-collection systems, mentioned in this article,
+ is not really a matter of proprietary surveillance. These systems
+ are an intolerable invasion of privacy, and should be replaced with
+ anonymous payment systems, but the invasion isn't done by malware. The
+ other cases mentioned are done by proprietary malware in the car.</p>
</li>
+</ul>
- <li><p>Modern gratis game cr…apps
- <a
href="http://toucharcade.com/2015/09/16/we-own-you-confessions-of-a-free-to-play-producer/">
- collect a wide range of data about their users and their users'
- friends and associates</a>.</p>
- <p>Even nastier, they do it through ad networks that merge the data
- collected by various cr…apps and sites made by different
- companies.</p>
+<div class="big-subsection">
+ <h4 id="SpywareInVR">Virtual Reality</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInVR">#SpywareInVR</a>)</span>
+</div>
- <p>They use this data to manipulate people to buy things, and hunt
- for “whales” who can be led to spend a lot of money. They
- also use a back door to manipulate the game play for specific
players.</p>
+<ul class="blurbs">
+ <li id="M201612230">
+ <p>VR equipment, measuring every slight motion,
+ creates the potential for the most intimate
+ surveillance ever. All it takes to make this potential real <a
+
href="https://theintercept.com/2016/12/23/virtual-reality-allows-the-most-detailed-intimate-digital-surveillance-yet/">is
+ software as malicious as many other programs listed in this
+ page</a>.</p>
- <p>While the article describes gratis games, games that cost money
- can use the same tactics.</p>
+ <p>You can bet Facebook will implement the maximum possible
+ surveillance on Oculus Rift devices. The moral is, never trust a VR
+ system with nonfree software in it.</p>
</li>
</ul>
-<!-- #SpywareAtRecreation -->
-<div class="big-section">
- <h3 id="SpywareAtRecreation">Spyware at Recreation</h3>
- <span class="anchor-reference-id">
- (<a href="#SpywareAtRecreation">#SpywareAtRecreation</a>)</span>
-</div>
-<div style="clear: left;"></div>
-<ul>
- <li><p>Users are suing Bose for
- <a
href="https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/">
- distributing a spyware app for its headphones</a>.
- Specifically, the app would record the names of the audio files
- users listen to along with the headphone's unique serial number.
- </p>
- <p>The suit accuses that this was done without the users' consent.
- If the fine print of the app said that users gave consent for this,
- would that make it acceptable? No way! It should be flat out
- <a href="/philosophy/surveillance-vs-democracy.html">
- illegal to design the app to snoop at all</a>.
- </p>
- </li>
-</ul>
-
-<!-- #SpywareOnTheWeb -->
<div class="big-section">
<h3 id="SpywareOnTheWeb">Spyware on the Web</h3>
@@ -1514,193 +1728,186 @@
makes no sense to call them “free” or
“proprietary”</a>,
but the surveillance is an abuse all the same.</p>
-<ul>
- <li><p> The Storyful
- program <a
href="https://www.theguardian.com/world/2018/may/17/revealed-how-storyful-uses-tool-monitor-what-journalists-watch">spies
- on the reporters that use it</a>.
- </p></li>
-
- <li><p>When a page uses Disqus for
- comments, <a
href="https://blog.dantup.com/2017/01/visiting-a-site-that-uses-disqus-comments-when-not-logged-in-sends-the-url-to-facebook">the
- proprietary Disqus software loads a Facebook software package into
- the browser of every anonymous visitor to the page, and makes the
- page's URL available to Facebook</a>.
- </p></li>
-
- <li><p>Online sales, with tracking and surveillance of customers, <a
href="https://www.theguardian.com/commentisfree/2016/dec/06/cookie-monsters-why-your-browsing-history-could-mean-rip-off-prices">enables
- businesses to show different people different prices</a>. Most
- of the tracking is done by recording interactions with
- servers, but proprietary software contributes.</p>
- </li>
-
- <li><p><a
href="https://www.techrepublic.com/blog/asian-technology/japanese-government-warns-baidu-ime-is-spying-on-users/">
- Baidu's Japanese-input and Chinese-input apps spy on users.</a></p>
- </li>
-
- <li><p>Pages that contain “Like” buttons <a
-
href="https://www.smh.com.au/technology/facebooks-privacy-lie-aussie-exposes-tracking-as-new-patent-uncovered-20111004-1l61i.html">
- enable Facebook to track visitors to those pages</a>—even
- users that don't have Facebook accounts.</p>
- </li>
-
- <li><p>Many web sites rat their visitors to advertising networks that track
- users. Of the top 1000 web sites, <a
+<ul class="blurbs">
+ <li id="M201805170">
+ <p>The Storyful program <a
+
href="https://www.theguardian.com/world/2018/may/17/revealed-how-storyful-uses-tool-monitor-what-journalists-watch">spies
+ on the reporters that use it</a>.</p>
+ </li>
+
+ <li id="M201701060">
+ <p>When a page uses Disqus
+ for comments, the proprietary Disqus software <a
+
href="https://blog.dantup.com/2017/01/visiting-a-site-that-uses-disqus-comments-when-not-logged-in-sends-the-url-to-facebook">loads
+ a Facebook software package into the browser of every anonymous visitor
+ to the page, and makes the page's URL available to Facebook</a>.</p>
+ </li>
+
+ <li id="M201612064">
+ <p>Online sales, with tracking and surveillance of customers, <a
+
href="https://www.theguardian.com/commentisfree/2016/dec/06/cookie-monsters-why-your-browsing-history-could-mean-rip-off-prices">enables
+ businesses to show different people different prices</a>. Most of
+ the tracking is done by recording interactions with servers, but
+ proprietary software contributes.</p>
+ </li>
+
+ <li id="M201405140">
+ <p><a
+
href="http://www.itproportal.com/2014/05/14/microsoft-openly-offered-cloud-data-fbi-and-nsa/">
+ Microsoft SkyDrive allows the NSA to directly examine users'
+ data</a>.</p>
+ </li>
+
+ <li id="M201210240">
+ <p>Many web sites rat their visitors to advertising
+ networks that track users. Of the top 1000 web sites, <a
href="https://www.law.berkeley.edu/research/bclt/research/privacy-at-bclt/web-privacy-census/">84%
- (as of 5/17/2012) fed their visitors third-party cookies, allowing other
- sites to track them</a>.</p>
+ (as of 5/17/2012) fed their visitors third-party cookies, allowing
+ other sites to track them</a>.</p>
</li>
- <li><p>Many web sites report all their visitors to Google by using
- the Google Analytics service, which
- <a
href="http://www.pcworld.idg.com.au/article/434164/google_analytics_breaks_norwegian_privacy_laws_local_agency_said/">
- tells Google the IP address and the page that was visited.</a></p>
+ <li id="M201208210">
+ <p>Many web sites report all their visitors
+ to Google by using the Google Analytics service, which <a
+
href="http://www.pcworld.idg.com.au/article/434164/google_analytics_breaks_norwegian_privacy_laws_local_agency_said/">
+ tells Google the IP address and the page that was visited</a>.</p>
</li>
- <li><p>Many web sites try to collect users' address books (the
- user's list of other people's phone numbers or email addresses).
- This violates the privacy of those other people.</p>
+ <li id="M201200000">
+ <p>Many web sites try to collect users' address books (the user's list
+ of other people's phone numbers or email addresses). This violates
+ the privacy of those other people.</p>
</li>
- <li><p><a
href="http://www.itproportal.com/2014/05/14/microsoft-openly-offered-cloud-data-fbi-and-nsa/">
- Microsoft SkyDrive allows the NSA to directly examine users'
data</a>.</p>
+ <li id="M201110040">
+ <p>Pages that contain “Like” buttons <a
+
href="https://www.smh.com.au/technology/facebooks-privacy-lie-aussie-exposes-tracking-as-new-patent-uncovered-20111004-1l61i.html">
+ enable Facebook to track visitors to those pages</a>—even users
+ that don't have Facebook accounts.</p>
</li>
</ul>
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
+
<div class="big-subsection">
- <h4 id="SpywareInFlash">Spyware in JavaScript and Flash</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInFlash">#SpywareInFlash</a>)</span>
+ <h4 id="SpywareInJavaScript">JavaScript</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInJavaScript">#SpywareInJavaScript</a>)</span>
</div>
-<ul>
- <li>
- <p>British Airways
- used <a
href="https://www.theverge.com/2018/7/19/17591732/british-airways-gdpr-compliance-twitter-personal-data-security">nonfree
- JavaScript on its web site to give other companies personal data
- on its customers</a>.</p>
+<ul class="blurbs">
+ <li id="M201807190">
+ <p>British Airways used <a
+
href="https://www.theverge.com/2018/7/19/17591732/british-airways-gdpr-compliance-twitter-personal-data-security">nonfree
+ JavaScript on its web site to give other companies personal data on
+ its customers</a>.</p>
</li>
- <li>
+ <li id="M201712300">
<p>Some JavaScript malware <a
href="https://www.theverge.com/2017/12/30/16829804/browser-password-manager-adthink-princeton-research">
swipes usernames from browser-based password managers</a>.</p>
</li>
- <li>
- <p>Some websites send JavaScript code to collect all the user's
- input, <a
href="https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/">which
can then
- be used to reproduce the whole session</a>.</p>
-
- <p>If you use LibreJS, it will block that malicious JavaScript
- code.</p>
- </li>
-
- <li><p>Many web sites use JavaScript code <a
+ <li id="M201712210">
+ <p>Many web sites use JavaScript code <a
href="http://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081">
- to snoop on information that users have typed into a form but not
- sent</a>, in order to learn their identity. Some are <a
+ to snoop on information that users have typed into a
+ form but not sent</a>, in order to learn their identity. Some are <a
href="https://www.manatt.com/Insights/Newsletters/Advertising-Law/Sites-Illegally-Tracked-Consumers-New-Suits-Allege">
getting sued</a> for this.</p>
</li>
- <li><p>Flash Player's
- <a
href="http://www.imasuper.com/66/technology/flash-cookies-the-silent-privacy-killer/">
- cookie feature helps web sites track visitors</a>.</p>
- </li>
+ <li id="M201711150">
+ <p>Some websites send
+ JavaScript code to collect all the user's input, <a
+
href="https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/">which
+ can then be used to reproduce the whole session</a>.</p>
- <li><p>Flash and JavaScript are also used for
- <a
href="http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/">
- “fingerprinting” devices</a> to identify users.</p>
+ <p>If you use LibreJS, it will block that malicious JavaScript
+ code.</p>
</li>
</ul>
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
+
<div class="big-subsection">
- <h4 id="SpywareInChrome">Spyware in Chrome</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInChrome">#SpywareInChrome</a>)</span>
+ <h4 id="SpywareInFlash">Flash</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInFlash">#SpywareInFlash</a>)</span>
</div>
-<ul>
- <li><p>Google Chrome
- <a href="https://www.brad-x.com/2013/08/04/google-chrome-is-spyware/">
- spies on browser history, affiliations</a>,
- and other installed software.
- </p>
- </li>
- <li><p>Google Chrome contains a key logger that
- <a href="http://www.favbrowser.com/google-chrome-spyware-confirmed/">
- sends Google every URL typed in</a>, one key at a time.</p>
- </li>
-
- <li><p>Google Chrome includes a module that
- <a
href="https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/">
- activates microphones and transmits audio to its servers</a>.</p>
+<ul class="blurbs">
+ <li id="M201310110">
+ <p>Flash and JavaScript are used for <a
+
href="http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/">
+ “fingerprinting” devices</a> to identify users.</p>
</li>
- <li><p>Google Chrome makes it easy for an extension to do <a
-
href="https://labs.detectify.com/2015/07/28/how-i-disabled-your-chrome-security-extensions/">total
- snooping on the user's browsing</a>, and many of them do so.</p>
+ <li id="M201003010">
+ <p>Flash Player's <a
+
href="http://www.imasuper.com/66/technology/flash-cookies-the-silent-privacy-killer/">
+ cookie feature helps web sites track visitors</a>.</p>
</li>
</ul>
-<!-- #SpywareInDrones -->
-<div class="big-section">
- <h3 id="SpywareInDrones">Spyware in Drones</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareInDrones">#SpywareInDrones</a>)</span>
+<div class="big-subsection">
+ <h4 id="SpywareInChrome">Chrome</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInChrome">#SpywareInChrome</a>)</span>
</div>
-<div style="clear: left;"></div>
-<ul>
- <li>
- <p>While you're using a DJI drone to snoop on other people, DJI is in many
- cases <a
href="https://www.theverge.com/2017/8/4/16095244/us-army-stop-using-dji-drones-cybersecurity">snooping
on you</a>.</p>
+<ul class="blurbs">
+ <li id="M201507280">
+ <p>Google Chrome makes it easy for an extension to do <a
+
href="https://labs.detectify.com/2015/07/28/how-i-disabled-your-chrome-security-extensions/">total
+ snooping on the user's browsing</a>, and many of them do so.</p>
</li>
-</ul>
+ <li id="M201506180">
+ <p>Google Chrome includes a module that <a
+
href="https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/">
+ activates microphones and transmits audio to its servers</a>.</p>
+ </li>
-<!-- #SpywareEverywhere -->
-<div class="big-section">
- <h3 id="SpywareEverywhere">Spyware Everywhere</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareEverywhere">#SpywareEverywhere</a>)</span>
-</div>
-<div style="clear: left;"></div>
-
-<ul>
- <li><p>The natural extension of monitoring people through
- “their” phones is <a
-
href="http://www.northwestern.edu/newscenter/stories/2016/01/fool-activity-tracker.html">
- proprietary software to make sure they can't “fool” the
- monitoring</a>.</p>
+ <li id="M201308040">
+ <p>Google Chrome <a
+ href="https://www.brad-x.com/2013/08/04/google-chrome-is-spyware/">
+ spies on browser history, affiliations</a>, and other installed
+ software.</p>
</li>
- <li><p><a
href="https://www.pocket-lint.com/laptops/news/intel/134954-cortana-is-always-listening-with-new-wake-on-voice-tech-even-when-windows-10-is-sleeping">
- Intel devices will be able to listen for speech all the time, even when
“off.”</a></p>
+ <li id="M200809060">
+ <p>Google Chrome contains a key logger that <a
+ href="http://www.favbrowser.com/google-chrome-spyware-confirmed/">
+ sends Google every URL typed in</a>, one key at a time.</p>
</li>
</ul>
-<!-- #SpywareInVR -->
+
+
<div class="big-section">
- <h3 id="SpywareInVR">Spyware In VR</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareInVR">#SpywareInVR</a>)</span>
+ <h3 id="SpywareInNetworks">Spyware in Networks</h3>
+ <span class="anchor-reference-id">(<a
href="#SpywareInNetworks">#SpywareInNetworks</a>)</span>
</div>
<div style="clear: left;"></div>
-<ul>
- <li><p>VR equipment, measuring every slight motion, creates the
- potential for the most intimate surveillance ever. All it takes
- to make this potential
- real <a
href="https://theintercept.com/2016/12/23/virtual-reality-allows-the-most-detailed-intimate-digital-surveillance-yet/">is
- software as malicious as many other programs listed in this
- page</a>.</p>
+<ul class="blurbs">
+ <li id="M201606030">
+ <p>Investigation Shows <a
+
href="https://www.techdirt.com/articles/20160602/17210734610/investigation-shows-gchq-using-us-companies-nsa-to-route-around-domestic-surveillance-restrictions.shtml">GCHQ
+ Using US Companies, NSA To Route Around Domestic Surveillance
+ Restrictions</a>.</p>
- <p>You can bet Facebook will implement the maximum possible
- surveillance on Oculus Rift devices. The moral is, never trust a
- VR system with nonfree software in it.</p>
+ <p>Specifically, it can collect the emails of members of Parliament
+ this way, because they pass it through Microsoft.</p>
+ </li>
+
+ <li id="M201212290">
+ <p>The Cisco TNP IP phones are <a
+ href="http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html">
+ spying devices</a>.</p>
</li>
</ul>
+
</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer">
@@ -1758,7 +1965,7 @@
<p class="unprintable">Updated:
<!-- timestamp start -->
-$Date: 2018/09/12 03:31:35 $
+$Date: 2018/09/30 18:00:47 $
<!-- timestamp end -->
</p>
</div>