FTC lawsuit exposes major privacy risk, and it’s your phone’s fault

The Federal Trade Commission complaint lodged against Kochava Inc. on August 29, 2022, accusing the data broker of selling geolocation data from hundreds of millions of mobile devices.

Consumers are often unaware that their location data is being sold and their past movements can be tracked, according to the commission.

The FTC lawsuit clarified that Kochava’s data can be used to track consumers to sensitive locationsincluding “to identify the mobile devices of consumers who have visited reproductive health clinics”.

When the United States Supreme Court quashed Roe v. Wade on June 24, 2022, many people seeking abortion care found themselves in legal danger.

Numerous state laws criminalizing abortion have brought the perilous state of privacy into the spotlight.

Like a cybersecurity and privacy researcherI saw how easily people’s movements and activities can be tracked.

If people want to go incognito to an abortion clinic, according to well-meaning advicethey have to plan their trip like a CIA agent would – and get a phone burner.

Unfortunately, this would still not be sufficient to guarantee confidentiality.

Using a map app to plan a route, submitting terms to a search engine, and chatting online are ways people actively share their personal data.

But mobile devices share far more data than what their users say or type.

They share information with the network about who they contacted, when they did so, how long the communication lasted, and what type of device was used. Devices need to do this to connect a phone call or send an email.

Who’s talking to who

Image: KnowTechie

When NSA whistleblower Edward Snowden disclosed that the National Security Agency collected metadata from Americans’ phone calls – the Detailed call records – in bulk in order to hunt down terrorists, there was much public consternation.

The public was rightly concerned about the loss of his privacy.

Stanford researchers later showed that detailed call records along with publicly available information could reveal sensitive informationfor example if someone had a heart problem and their arrhythmia monitoring device malfunctioned or if they were considering opening a marijuana dispensary.

Often you don’t have to listen to know what someone is thinking or planning. Call detail records – who called who and when – can reveal all.

Transmission Information in Internet Communications – IP packet headers – can reveal even more than detailed call records.

When making an encrypted voice call over the Internet – a Voice over IP call – the content may be encrypted, but the information in the packet header may still sometimes divulge some of the words you speak.

A pocket full of sensors

This is not the only information provided by your communication device. Smartphones are computers, and they have many sensors.

In order for your phone to display information correctly, it has a gyroscope and an accelerometer; to preserve battery life, it has a power meter; to provide indications, a magnetometer.

Just as communication metadata can be used to track what you are doing, these sensors can be used for other purposes.

You can turn off GPS to prevent apps from tracking your location, but data from a phone’s gyroscope, accelerometer, and magnetometer can also track where you are going.

This sensor data could be attractive to businesses.

For instance, Facebook has a patent which relies on the different wireless networks near a user to determine when two people may have been frequently near each other – at a conference, on a commuter bus – as a basis for providing an introduction.

Claim? You bet.

As someone who rode the NYC subways in their youth, the last thing I want is for my phone to introduce me to someone who has repeatedly stood too close to me in a car. metro.

Uber knows that people really want to take a ride when their battery is low. Does the company verify this data and charge more? Uber claims not, but the possibility is there.

And it’s not just apps that have access to this wealth of data. Data brokers obtain this information from the applications, then compile it with other data and provide it to companies and Governments to use for their own purposes.

This can circumvent legal protections that require law enforcement to appear in court before obtaining this information.

Beyond Consent

phone with open map application in a hand wearing a glove
Image: Unsplash

There is little users can do to protect themselves. Communication metadata and device telemetry (information from phone sensors) are used to send, stream, and display content.

Not including them is usually not possible. And unlike search terms or map locations you consciously provide, metadata and telemetry are sent without you even seeing it.

Giving consent is implausible. There is too much of this data, and it is too complicated to decide each case. Every app you use — video, chat, web browsing, email — uses metadata and telemetry differently.

It is effectively impossible to provide truly informed consent indicating what information you provide and for what use.

If you use your cell phone for more than a clipboard, your visit to the cannabis dispensary and your personality – how extrovert you are or if you are likely to be at odds with your family since the 2016 election – can be learned from metadata and telemetry and shared.

This is true even for a burner phone bought with money, at least if you plan to turn the phone on.

Do this while carrying your regular phone and you’ll have revealed that the two phones are paired – and maybe even belong to you.

as little as four location points can identify a user, another way for your burner phone to reveal your identity.

If you’re driving with someone else, they’ll need to be just as careful or their phone will identify them – and you.

Metadata and telemetry information reveal a remarkable amount of you. But you don’t decide who gets that data, or what they do with it.

The reality of technological life

person holding smartphone showing apps like instagram
Image: Unsplash

There are certain constitutional guarantees to anonymity. For example, the Supreme Court ruled that the right of association, guaranteed by the First Amendmentis the right to associate in privatewithout providing membership lists to the state.

But with smartphones, it is a right that is effectively impossible to exercise. it is almost impossible to function without a mobile phone. Paper charts and public phone booths have practically disappeared.

If you want to do anything – travel from here to there, make appointments, order takeout or check the weather – you almost need a smartphone to do it.

It’s not just people who might be seeking abortions whose privacy is threatened by the data the phones broadcast. It could be your child applying for a job.

For example, the company could check location data to see if it participates in political protests. Or it could be you, when data from the gyroscope, accelerometer, and magnetometer reveals that you and your co-worker went to the same hotel room at night.

There is a way to solve this scary scenario, and that is for laws or regulations to require that the data you provide to send and receive communications – TikTok, SnapChat, YouTube – be used just for that, and nothing else. other.

It helps people who have abortions – and all of us too.

Do you have any thoughts on this? Report the discussion to our Twitter Where Facebook.

Editors recommendations:

Editor’s note: This article was written by Susan LandauProfessor of Cybersecurity and Policy, Tufts Universityand republished from The conversation under Creative Commons license. Read it original article.

The Conversation is an independent, nonprofit news organization dedicated to unleashing expert knowledge for the public good.

Comments are closed.