TAG | tracking
The Internet is on fire with outrage right now about the security warnings in the Facebook Messenger app. The furor is based on the viral spread of a post on the Huffington Post back in December of last year. The issue has come to the fore because Facebook is taking the messaging capability out of the main Facebook app, so users will have to install the Messenger app if they want to continue to use the capability.
The particular problem is with the warnings presented to users when they install the app on Android. Many articles are describing this as the “terms of service” but the warning are the standard text displayed by Android based on the specific permissions the app is requesting.
Here are the warnings as listed in that original the Huffington Post article:
- Allows the app to change the state of network connectivity
- Allows the app to call phone numbers without your intervention. This may result in unexpected charges or calls. Malicious apps may cost you money by making calls without your confirmation.
- Allows the app to send SMS messages. This may result in unexpected charges. Malicious apps may cost you money by sending messages without your confirmation.
- Allows the app to record audio with microphone. This permission allows the app to record audio at any time without your confirmation.
- Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation.
- Allows the app to read you phone’s call log, including data about incoming and outgoing calls. This permission allows apps to save your call log data, and malicious apps may share call log data without your knowledge.
- Allows the app to read data about your contacts stored on your phone, including the frequency with which you’ve called, emailed, or communicated in other ways with specific individuals.
- Allows the app to read personal profile information stored on your device, such as your name and contact information. This means the app can identify you and may send your profile information to others.
- Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
- Allows the app to get a list of accounts known by the phone. This may include any accounts created by applications you have installed.
This strikes me as more an inditement of the over broad requests for permissions by apps in Android than any particular evil intent on Facebook’s part. Obviously many of these things would be very bad indeed, if Facebook actually did them. After significant searching I have not seen any suggestion at all that Facebook is or is likely to do any of these things without your knowledge.
Many articles are ranting about the possibility that Facebook might turn on your camera or microphone without warning and capture embarrassing sounds or images. Doing so would be disastrous for Facebook, so it seems very unlikely.
After reviewing the actual Facebook privacy policies and terms of service in the Messenger app, I don’t see any sign that these actions would be permitted but of course Facebook does have the right to change the policies, basically at will.
Don’t take from this that I am a Facebook apologist. Anyone looking back through this blog will see many cases where I have criticized them and their actions (here, here, here, here for example). There are major problems with the amount of data Facebook collects, how they collect it from almost everywhere on the Internet (not just their website or apps), and their privacy policies. I have turned off location tracking for the Messenger app on my iPhone because I don’t want Facebook tracking that.
However….. Facebook is not going to start turning on your camera at night to take naked pictures of you! There is a lot about privacy on the Internet to worry about, lets stay focused on the real stuff rather than these fantasies.
The Internet is buzzing with discussions about a new kind of tracking called Canvas Fingerprinting. In fact, the technique goes back to a paper by Mowery and Shacham back in 2012. Canvas Fingerprinting gets most of its information from the hardware and software used to render images on a given computer. When asked to render a geometric curve or a modern font to the screen, the system has many decisions to make in the process of turning that into the brightness and color values of the pixels in the image. The technique for creating the Canvas Fingerprint is to give the browser a somewhat complex image to render, capture the actual pixel values produced, which is then hashed down to make the actual fingerprint.
Canvas Fingerprinting is really just another technique for capturing information about a user’s computer as part of a larger system fingerprint. I have been talking about tools like Panopticlick which take all kinds of different information they can see about your computer’s configuration to try to create a unique identifier. Testing my computer right now it says that my browser fingerprint contains at least 22 bits of entropy and is unique among the roughly 4.3 million users they have tested so far. Panopticlick uses information about the browser, operating system, time zone, fonts, plugins, and such to create the identifier.
By comparison, Canvas Fingerprinting contains on average 5.7 bits of entropy meaning that about one in 52 people on the Internet would have the exact same fingerprint. That makes it a lousy identifier on its own.
The real power of this new technique is in combination with other fingerprints like those used in Panopticlick. By combining the two there is about 27.7 bits of entropy which would identify me to one in 218 Million people. Once of the strengths of Canvas Fingerprinting is that it captures very different kinds of information than many other methods. For example, because a windows machine comes with a whole bunch of fonts installed, knowing that a computer is running windows immediately tells you a lot about the fonts. The two bits of information are hight correlated. The Canvas Fingerprint mostly gives information about the graphics subsystems. Knowing the operating system does not tell you very much at all about the specific chipset or firmware in the graphics processor, they are mostly independent.
So, in short Canvas Fingerprinting is not that big a deal, and folks should not get so worked up about it, however system fingerprinting in general IS a big deal. It is now good enough to allow individual users to be tracked even if they are deleting all their cookies and hiding their IP addresses with tools like Anonymizer Universal. System fingerprints are not identifying in the same way an IP address is, but they do allow a person to be recognized when they revisit a website, or a cooperating website.
Current best practice to minimize System Fingerprint based tracking (including Canvas Fingerprinting) is to run the browser inside a clean and un-customized virtual machine, which you then revert back to the clean state at the end of every use. That will give your browser a maximally generic identifier, while also eliminating all other kinds of tracking techniques.
The city of Chicago is getting ready to deploy several monitoring stations on light poles along Michigan Avenue. In addition to collecting environmental information like sound volume, light intensity, and air quality, the devices will also count people by detecting wireless signals from passing mobile devices.
The system is designed to only count devices without capturing unique identifiers. While this may be true, it would certainly be easy to change in the future with only a tiny tweak to the software.
This set up looks similar to the tracking trashcans I discussed last year.
Capturing this kind of data is inevitable, and would be invisible if the city had not announced its intentions. The key will be to ensure appropriate protections for collected information, whoever does the collecting. It is refreshing that all of the data captured as part of this project will be published immediately. Assuming nothing is held back that will give a clear sense of exactly what kinds of information can be extrapolated from the raw data.i
Additionally architectural changes like the random MAC addresses in iOS 8 can significantly improve privacy in the face for such monitoring and tracking.
A federal appeals court in Atlanta ruled that there is an expectation of privacy in cell tower location information, and therefor it is protected by the Fourth Amendment. This runs counter to other recent rulings that allow access to the information without a warrant under the Stored Communications Act.
The recent ruling relies on precedent from the 2012 Supreme Court decision in United States vs. Jones which stated that a warrant was required to place a tracking device on a suspects car. Phone records provide the same information, just with a different technical means.
This would not apply to intelligence gathering activities, nor would it prevent access to your location information with a warrant. It is a move to recognize that our personal information, about which we have real privacy interests, is increasingly existing in the networks of third parties. Laws that assume anything sensitive would be on paper and stored in your house or on your person are absurdly outdated.
For now this is only a local precedent. The issue will almost certainly end up in the Supreme Court at some point.
News just broke of a new feature in iOS 8 announced at Apple’s WWDC which was not covered in the big keynote. Advertisers and retail outlets have been using Wi-Fi to track mobile devices for some time. I talked about a network of Wi-Fi tracking trashcans last year in the podcast.
This works because, by default, most mobile devices are constantly on the lookout for Wi-Fi networks. The device communicates with visible base stations to see if they are known, if they are secure, and what they are called. That communication reveals the MAC address of the device’s Wi-Fi.
Like the address on your house, your phone number, or IP addresses, MAC addresses are globally unique identifiers. Everything that can speak Wi-Fi has its own individual MAC address. This makes it a great hook for tracking. If someone sets up a bunch of Wi-Fi base stations, most mobile devices going by will try to connect, giving it their MAC address. By looking at the pattern of those connections, the device can be tracked.
More sophisticated solutions have even used signal strength to triangulate the location of devices within a small area.
The big news is that Apple is going to randomize the MAC addresses of iOS 8 devices when they are probing for networks. If the device were to probe network base stations A, B, and C they would all see different MAC addresses and think that they were tracking different devices. The iPhone or iPad would still use its real MAC when establishing a full connection, but would not provide it to all of the networks it only probes but never actually uses.
This is a really small change which provides significant privacy gains. It is similar to the decision Apple made to use randomized IPv6 addresses by default, rather than ones which uniquely identify the computer or mobile device.
Of course, Apple is also working hard to track us all with iBeacons at the same time….