Firewalls Don’t Stop Dragons Podcast (transcript)
Carey Parker: Hey everybody, welcome back to Firewalls Don’t Stop Dragons. We’ve got another interview show for you today, and a great show it is. We’ll be talking with Daniel Davis from DuckDuckGo. DuckDuckGo is originally a privacy oriented search engine taking on Google, because as we all know Google is an advertising company and all those fun search terms that you put in there are saved away so that Google knows as much about you as is humanly possible. And if you want to prevent that, if you want to kind of claw back your privacy and take back some of these potentially sensitive things you might be searching for, then you need to check out DuckDuckGo’s search engine for sure.
But today we’ll get to talk about a new tool that they’ve got in their arsenal. They’re branching out and creating even more privacy tools, which is really wonderful. They’ve got a great new smartphone tool. So today we’re going to be talking and with Data Privacy Day just behind us we’re going to be talking about privacy on your mobile phone, is it even possible anymore? There’s so many things happening on your mobile phone. It’s got sensors coming out the wazoo and so many of those applications that you’re putting on your phone have requested permission to access all of those sensors. And if you’re not careful they can be reporting all sorts of things about you. And it’s really amazing to think of all the different ways you can take that data and figure things out. We’re going to talk a little bit with Daniel about that today. So, without further ado, let’s talk to Daniel Davis from DuckDuckGo about mobile privacy.
LISTEN TO THE EPISODE HERE:
Hey, and today we’re welcoming back Daniel Davis who is a community manager at DuckDuckGo, a company that is helping users take back their privacy not just when searching but on the wider internet as well. Welcome back Daniel.
Daniel Davis: Hi there. Hi, thank you very much for inviting me back. It’s great to be here again.
Carey Parker: Now before we start, if you would, just remind our audience who DuckDuckGo is and what they’re about.
Daniel Davis: DuckDuckGo is originally a private search engine so you can search on the web anonymously without people tracking you without your searches being tied to personal profile or your history being stored or something like that. But very recently, in fact this week, we’ve just branched out beyond search to provide an app and an extension for people to protect themselves when they’re going away browsing any website. So we’re becoming the privacy company.Carey Parker: Fantastic. And we’ll definitely get into that a little bit later when we’re talking about our tips and recommendations and stuff. We definitely want to talk about that one. All right, so I brought you on today because I wanted to talk about mobile privacy and security. We talk a lot about computer security on the show in general, but I’ll bet, I don’t have any hard stats on this, but I’ll bet that most people spend more time on their smartphones than they do on their computers these days. I don’t know if you have any stats on that.
Daniel Davis: I don’t have stats but I totally agree. But not only that but the phone collects much more personal data about you than you PC does.
Carey Parker: Yeah, for sure. And I don’t think a lot of people understand that instinctually. I think that’s part of the problem with a lot of what we’re dealing with when we’re trying to talk cyber security and privacy in the physical world we have a notion that someone’s watching you or that we need to protect something. I talk about how we’re used to the inconvenience of physical security. When you leave your house you lock it, when you leave your car you lock it. If you have a purse, maybe you hide that in the truck or a laptop or something like that. So we’re used to that but because it’s all virtual and because it’s all cyber, there’s just not the same instinctual feel that people have in the cyber world.
Daniel Davis: Yep, yep totally agree. And people have this thing about, “Well, but I’ve got nothing to hide so I have nothing to worry about,” but whether you have something to hide or not… For example, some people may be fine with going to the bathroom with the door open or letting other people watch their bank account details. That’s fine but we have the right to keep it private if we want to. And in the same way, I close my blinds at night because I don’t want people peering in. It doesn’t mean I’ve got something to hide. It’s just I have that right. And privacy online should be just as simple.
Carey Parker: Yeah, I totally agree. And then I’ve brought this up before but I haven’t mentioned it for a while, but if you haven’t seen the Glenn Greenwald talk, the TED Talk on privacy, it’s a great one to watch. And he talks about some of those things. And one of the things he always ends up with is people say, “Oh, I got nothing to hide, I don’t care who reads my email.” And he’s like, “Okay, well I’ll tell you what, why don’t you give me your email password.” And he said no one’s ever taken him up on that.
Daniel Davis: I wouldn’t.
Carey Parker: Exactly. All right, so there’s a lot of aspects to this and you’ve already touched on a couple that I think that people don’t really grok when they’re thinking about smartphones. There are so many personal details that we have and if it’s not stored on your phone it’s accessible through your phone. It’s just amazing how much information is there. And of course today information is the new oil, as they like to say, right? It’s a new commodity that we’re all trading in. And so all these marketers and of course governments and other people too want to get ahold of that info as much as possible. And those are just ripe targets. So we’re going to be talking about that a lot today and I think we’re going to blow people’s minds a little bit because there’s so many different ways that that information is vulnerable. So let’s get into that a little bit. Let’s talk about tracking. There’s so many ways that you could be tracked with your smartphone. Let’s start checking all off.
Daniel Davis: Wow, okay. Where do we start? Well first of all, when we’re browsing the web. I think more and more people are getting familiar with tracker blockers. We did a survey not too long ago and we found that there’s a noticeable increase in people who are both aware of and doing something about the pervasive tracking online. This is mobile and desktop but the concept is the same. We found that 24% of the American adults that we surveyed are doing something to stop tracking. For example, installing a tracker blocker for example. There’s settings in the browser as well that you can change, privacy protection settings and things like that. Or deliberately using private search or private mode. So more people are aware of it and taking notice. And the most obvious one is through visiting different websites.
Carey Parker: Yeah.
Daniel Davis: And it’s obvious because we see something we looked at only a few minutes ago coming up on a different website in an advert. “Whoa! Hey, how can you know that? That’s a bit creepy.” We know… Well, actually maybe people don’t know, but the majority of this is coming from Google-related trackers and ad networks. So a study by Princeton University, which I may have mentioned last time, showed that 76% of top websites, the top million websites they went through, have some Google code on them which can be used to track you around. And that could be through AdSense or whatever or Google Analytics.
The next largest proportion was from Facebook and this could be from just something simple looking like a “like” button. But still, that’s Facebook code which they can use to get data about what website you’re viewing. You’re viewing this product and then you go to another page and, “Okay, if we remind that person about the product they might be more likely to buy,” and it’d come up in your Facebook feed. So those are the most obvious ones that we see. And therefore, people who do do something about tracking tend, I think initially, to focus on that, installing a tracker blocker, which is what we just released, or using a browser which has some inbuilt blocking features in it.
Carey Parker: What I don’t think a lot of people realize is that Google… People think of Google as a search company, and initially it was but 90% of their revenue I think I read, it comes from advertising. They are an advertising company. So their thing is they need to know as much about you as possible because the more they can target those ads to you the more they can charge for their ads.
Daniel Davis: Right, yeah. And they are now I think the biggest digital advertiser. They make up, I’m going to have to really double check this, but there are stats out recently showing the vast majority of online digital advertising is now coming from either Google or Google and Facebook combined.
Carey Parker: Yes.
Daniel Davis: That is amazing. It’s a duopoly I think basically. And change, no matter what they say, change from within I think is going to be very hard. So we have to vote with our feet, we have to do something about it ourselves.
Carey Parker: Absolutely. Yeah, and advertising, ad blockers, and there’s obviously this cat and mouse game going on with ad blockers because first there were the ads and then there were ad blockers and now there are ad blocker blockers and there are these sites that they’re detecting that when you’re blocking their ads and they’re, some of them are refusing to show you content. Some of them are asking you to whitelist their sites and let the ads through. It reminds me of pop-up blocking back in the day.
Daniel Davis: Yeah.
Carey Parker: It’s just gotten out of hand but it’s just like the next round of the evolution of this ad-based web model that we have.
Daniel Davis: Yes. This is probably… I also want to raise a point actually. So there is also a lot of confusion I think between ad blocking and tracker blocking.
Carey Parker: Yes.
Daniel Davis: And we like to make the distinction because ads in themselves I don’t think are a bad thing. We, DuckDuckGo, we get our revenue on the search engine mostly through ads. They’re non-tracking ads. They’re not based on a profile or history. They’re based on what you’ve just searched for, that word. You search for a car, we’ll show an advert related to a car. And it’s working. We’ve been profitable for several years. We would like to see more companies use the same model. And so, yeah, blocking ads completely I think is kind of going to hurt the web that we rely on and we get so much enjoyment and information from for free. It’s the ads that track us and follow us around and that are very invasive I think that are the big problem. So yeah, we, in our company and in our software, we try to target tracker blocking rather than just blanket ad blocking.
Carey Parker: The analogy I like to make is it’s active versus passive. In the old days when you saw a billboard, the billboard didn’t see you. Right, right?
Daniel Davis: Yeah.
Carey Parker: So they would put the billboards along the side of the road where they thought it would attract a certain type of customer or if you were going to, modern day, if you’re going to a website that’s kind of a manly site or whatever, maybe they’re advertising beer and muscle cars or whatever.
Daniel Davis: Yeah.
Carey Parker: But it’s based on the site you’re going to and they could, in that sense, be first-party ads. They’re just simple, they’re not tracking ads. And that makes total sense to me, I get that. If we want free content, they’ve got to make money somehow. But it’s the ads that watch you back that gets really creepy. And that to me is where they cross the line.
Daniel Davis: Yeah. Now I’ve got an image of driving past billboards with little eye holes cut out and somebody peering at me like in a cartoon or something! But that’s kind of like what web advertising is becoming. And yeah, we need to do something about it.
Carey Parker: So there’s so many different ways to track, so that’s just one. And you’re right, that’s common to both smartphones and… The other one that we have to acknowledge and a lot of people may not think about is your cellphone provider has to know where you are because that’s how they get phone calls to you. That’s how they get messages to you, right? They have to know, geographically, roughly where you are, at least what cell site you’re on because that’s how they get things to you, right? But, by the same token, that also means that your cell provider always knows where you are.
Daniel Davis: Yes. Yeah, it’s good to point out it’s not necessarily a bad thing. There have been case where people in emergencies have been found because of the pings from the cellphone.
Carey Parker: Yes.
Daniel Davis: But yeah, knowing what people do with that data, what the ISPs do with that data, is important. And yeah, it’s very disappointing that they were given, in the US at least, sort of free reign to collect that data and then use it for other purposes last year. Yeah, obviously we can try to support organizations that try to improve regulations and we can also ourselves write to our Congressman or woman or whichever political parties are active in our country where we live. Obviously I’m not in America. Yeah, so the main thing we can do is to try and make sure there’s regulation that protects us. That’s going to have a huge effect. But it’s very difficult and sometimes slow.
The alternative then is we find technology that can do it for us on an individual level. In the case of ISP tracking, if you visit a website that is encrypted, which means the start of the address begins with HTTPS — that S is very important — then everything that you send to and from the website is encrypted. From the outside observer’s point of view it’s just a random jumble of letters and numbers. That is very strong and even ISPs can’t then see what you’re looking at or what you’re searching for. They can see which website you’re going to. So for example, they can see you’re going to DuckDuckGo but they can’t see the search terms and the pages that you’re viewing.
An alternative to that is a thing called a VPN which, different to a website being encrypted, a VPN will encrypt all your traffic whether you visit an unencrypted website or not. So unfortunately the website being encrypted is not something you can easily control apart from writing to them saying please upgrade your service.
Carey Parker: Right.
Daniel Davis: But a VPN is something you can control. It’s usually a paid service. You have to trust the VPN provider because if they wanted to they could technically see all your traffic. Some of them say they don’t and yet you have to completely trust them. But the benefit is all of your traffic is encrypted, your emails. A lot of people don’t realize this but the emails, whether on your phone or your laptop, emails are not encrypted by default. And most people have not set it up because unfortunately it’s not super easy. So emails and web surfing will be encrypted if you use a VPN. But you have to trust the provider.
Carey Parker: Exactly. And of course VPN is a virtual private network and we’ve talked about that many times on the show because it’s one of the key tools in our toolbox. But yes, you’re absolutely right, at some point you have to trust somebody unfortunately. And so, in the case of a VPN, what you’re often doing is you’re trading your trust for your ISP for the VPN. Now, at least the VPN provider, usually one of the reasons they exist is for privacy, so at least part of their reputation is built around that trust. And if they ever violate that I would think they’d be out of business in a hurry. Whereas ISPs make no bones about the fact that they want to know everything you’re doing. And that’s why we had the law switched. They lobbied our Congress and they got it switched because they want that information on you because they want to sell it like all these other guys who want to get your information and sell it. So obviously the interests for these two parties are very different so you can at least hope with a VPN that their primary thing is protecting your privacy.
Daniel Davis: Yes. There is an alternative called Tor, which originally stands for The Onion Router. And this kind of has a similar effect in that it protects you by sending your traffic through various different, they’re called nodes, and so it makes it very difficult to track you effectively. As close as you can be to being anonymous on the web as possible. But yeah, both VPN and Tor are very helpful for this. Tor is free. It’s a nonprofit organization that runs it. VPNs are paid for, but I think it’s important to understand that with any service, especially a privacy-related service, you have to know where their revenue is coming from. It could be from some advertising that is not using your personal data. It could be through paid subscription. If it’s neither of those, then it could be they’re just taking your data and selling it without you knowing.
Carey Parker: Right.
Daniel Davis: So be very wary of especially VPNs that are free. It might not be… Maybe free dollars but it might not be free in other means.
Carey Parker: Absolutely. Yes, absolutely. So there’s a couple ways we’re being tracked. Now there are some other wireless mechanisms, some local wireless mechanisms by which we can be tracked with the WiFi and Bluetooth. Talk to us a little about how that works.
Daniel Davis: In the case of WiFi, it’s called triangulation and any website can work out where you are. There’s a thing called a geolocation API. And the website doesn’t have to do anything with the WiFi technology, it’s all done in the background by the browser. But the browser can use your WiFi to work out where you are. And it might combine that with, for example, the 3G data as well. And now possibly Bluetooth as well. So if it knows the location of a particular WiFi hotspot and you’re connected to that hotspot, then it can assume that you’re very, very close to it, within a few meters to it. And so that’s how you can get very good location data even when people are inside a building. If you combine that with 3G, then when you leave that WiFi hotspot area, they can still work out where you are because you sort of transitioned to a 3G network. The 3G towers, obviously we know the locations of those so yeah, it’s very easy to pick up your location through various means. Just switching one of these connection methods off won’t necessarily stop services from knowing where you are.
Carey Parker: And part of how Google Maps was done, and this was actually a controversy back when they did it, is they had, Google had these cars, and they still do, driving around with these little funky rigs on top taking all these 360 pictures so they could have those great, put yourself in the map kind of things and look around.
One of the things they were doing, they were scanning for WiFi signals and recording all that… Think about it right now, if you go to your neighborhood or whatever and you flip open your phone and you look at all the available WiFi networks, that list is fairly unique to where you’re at, right? Your home almost shows up because you’re close to that but your neighbors are nearby. And if there’s 15 things on that list, that’s probably pretty unique to where you’re standing. So that’s one way they could do it. They’re actually keeping track of if you see this list of 15 websites with these names like Go Boilers and Parkernet and whatever, then you’re probably standing outside my house. It’s creepy but it’s just amazing how easy it is just to snerf up all this data and then use that data for these kind of purposes.
Daniel Davis: Yes, and we enjoy free data storage and we sign up for a service and they give us five gigabytes of storage free or something, which is wonderful because data storage is now so cheap. But the flip side is that, yeah, any company now can store huge amounts of data, that we just can’t imagine, very, very cheaply, very, very easily. And obviously connection speeds as well. It can be sent, it can be scattered around the world so that data might not necessarily be stored in one particular country. So it’s not subject to one country’s privacy regulations.
Carey Parker: So there’s one more thing about the WiFi tracking I wanted to mention and that is, and you’d brought this up to me, the MAC address broadcast and randomization. Tell us what the problem is there and how they tried to solve that.
Daniel Davis: Every device has a thing called a MAC address, M-A-C address. And it’s effectively kind of like a serial number for the device that you’re using. And that is exposed so it’s possible, at a sort of low level, for the ISPs, for example, to see what, or a WiFi hotspot, to see what the MAC address of your device is when you connect. If you then track devices in a different area and you find something with the same MAC address, then you know that it’s the same device and very likely the same person.
So again, it’s another way of seeing somebody moving around connecting to different services. Obviously over time that builds up a very detailed pattern of one particular individual’s activity. The way to prevent that is to randomize the MAC address. So the operating system of the device can send out a different random MAC address each time it connects to a service, every time it’s switched on. That’s called MAC address randomization and it’s effectively the same as if you went out to the street and you met different people and each time you met the person you told them a completely different address of where you live.
Carey Parker: Yeah.
Daniel Davis: So when they met you in the future, “Hey, I’ve met you before.” “Well, it can’t be me because my name’s this and I live here.” So it would be pretty confusing. It’s great for stopping people tracking you and trying to remain a sense of anonymity. There is a problem however, our phones are built up of different layers. So you have the firmware, the core software in the phone, then you have an operating system on top of that, and then you have apps and things on top of that, and then you might even have little widgets and things on top of that as well. Each of those layers has access to the layer below it. MAC address randomization is actually available in Android phones at a very, very low level in the firmware. But the operating system then has to enable that to make it available to apps and things.
And a study, research was shown that a very small percentage, I think at the time it was about 6% or so, of Android phones that they looked at had MAC address randomization enabled. For some reason the makers shipping the phones decided not to enable it when they put the software on them and they sell it in the shops. I don’t know what the reasons are. Maybe it’s because they have their own software that they want to use MAC addresses to track people to get data, to build up profiles. Maybe it’s just they forgot. Maybe it’s because… Often what happens with software bugs is we think, “Ah, they’re doing it for malicious reasons.” Sometimes it’s… we’re humans, we make mistakes. Sometimes what happens with software companies especially, we think something is really easy to do, and it may be, but then it has to be tested to make sure it has no bad side effects.
Carey Parker: Right.
Daniel Davis: And that can take a long time. So maybe they don’t do this because then they’d have to test it and it’s a lot of work. Anyway, for that reason the technology exists, unfortunately it’s not being used in many Android phones. Apple iPhones do have MAC randomization, MAC address randomization. However, there are other identifiers that the phone emits that can be used for the same purpose. So the MAC address might be different but there might be another identifier that is the same. A quick tip for people actually, one identifier is called the Ad ID. I’m just going to double check on my phone here. It’s possible for people with iPhones and iPads to reset that. So within the settings on iPhone there is one called Privacy, an option called Privacy, and then within there you’ve got a section called Advertising and you can reset the advertising identifier in iPhones.
Carey Parker: Can you turn it off completely?
Daniel Davis: You can’t turn it off completely, no. You can only reset it. So it exists, it’s there all the time. You can limit ad tracking. There is an option to limit ad tracking and it’s in the same section of the settings. You cannot turn it off completely. And this advertising identifier, I think it’s shared with app developers, third-party app developers.
Carey Parker: Interesting.
Daniel Davis: So yeah, it’s there but at least you do have a little bit of control in resetting it and effectively you become a different person from the eyes of the app developer that is going to use that ID.
Carey Parker: Now that’s not available wirelessly is it? That’s not, along with the MAC address, that is not something that’s broadcast, is it? That’s just within the realm of the applications on the phone?
Daniel Davis: That’s true, yes it is.
Carey Parker: Okay.
Daniel Davis: Yeah, it’s just an example of a… Yeah, so although there are MAC addresses, there are other identifiers that potentially are emitted wirelessly and potentially available directly by software on the phone.
Carey Parker: And so let’s talk about applications because that’s the next realm, the next layer of potential tracking. People are happy with apps, especially those free apps. There’s, “Hey, why not? It’s free. Let me download that and try that out.” There are a lot of apps, especially free apps, that have been caught uploading all sorts of personal information about people, which is why they’re free. They’re not really free. You gave up your privacy without, unfortunately probably without knowing it. Or maybe it was buried in the terms of service, I don’t know. But whenever you install these apps they ask for certain permissions, for example, and I think a lot of people are just too liberal about that. It’s like, “Yeah sure, whatever, do what you want.” Talk to us a little bit about apps and app permissions. Where should we be getting our apps? What should we be avoiding? How do we know how to set the proper permissions on these applications?
Daniel Davis: Yeah, that’s a very good question. So from the point of view of the developer, I’m a developer, I make an app, I put it in the App Store, so why have I done that? It might be a hobby and I just want people to use it. It might be because I want a career in this. And it might be because I want it as a source of revenue. And if it’s a source of revenue you can either try and sell it, but people are used to free apps now so that might be difficult. You can put it out there for free and offer in-app purchases or subscriptions. You can have advertising on it, which is very visible so we know that we can see the revenue is coming from these ads that appear. You could also sell out data to third parties. So the users aren’t affected. They get a free app with no ads, but in the background you’re selling the data and getting revenue that way. And that happens a lot.
We saw a case of this actually just a month or two ago, actually Thanksgiving. So there was research done showing that families that voted for opposite parties spent less time together on Thanksgiving. I found that in itself quite interesting. It’s a good story. But what came out because of that story was, “Hang on, how do they know this?” And they looked into it and it turns out these researches had managed to get hold of this data, which was legally available, which provided them with 17 trillion location markers, 17 trillion location data points which was collected from 10 million phones.
Carey Parker: Oh my god.
Daniel Davis: And these researches, they didn’t obviously go to 10 million people and say, “Can I have some of that data?” I don’t think they did anything wrong themselves. They went to a company called SafeGraph which has got this data. And SafeGraph themselves aren’t making the apps. They’re buying the data potentially directly from app developers or potentially it’s from another third-party company who is getting it themselves, the data, from app developers. So when we install an app, first of all I doubt very many of us read the terms and conditions.
Carey Parker: Sure.
Daniel Davis: And I’m guilty of that as well. But even if we do, they’re very often filled with very vague wording, “We may use your data.” And they may say they try and anonymize it.
Carey Parker: Oh sure.
Daniel Davis: “In an anonymous fashion,” or “We may share it with third party, we may try to improve this service by…” blah, blah, blah. It’s very vague and so if anything does come down to close scrutiny, they can say, “Well, we phrased it like this so technically it’s okay, it’s legal.” In the case of this data, I want to go back to this data because it was fascinating.
So a further research was done about how these 17 trillion location markers from 10 million phones was accessed. It came from this SafeGraph company. And then what the researchers were able to do with that is work out that people who were located at a particular place between the hours of 1:00 and 4:00 AM, well that’s most likely to be their home. And so if you have two phones and they’re both together between 1:00 and 4:00 AM, not moving, in the same place, then you can kind of figure out they’re a couple or close family, especially if they’re in that same location or, you know, house sharing. But anyway, you can work out that they live together. And then on Thanksgiving in particular they looked at between 1:00 and 5:00 PM. And again, they’re looking at these location markers. And then when they see these phones together between 1:00 and 5:00 PM on Thanksgiving they can work out, “Okay, it’s family or close friends very likely.”
Carey Parker: Oh wow.
Daniel Davis: And if it’s the same places where they were at 1:00 or 4:00 AM, they know that they had Thanksgiving at home.
Carey Parker: Wow. And that is precisely a perfect example of the kind of dot connecting that goes on by these companies that people don’t think about. They may think, “Oh yeah, Facebook knows this about me. Oh yeah, Google knows that about me. Yeah, Pinterest knows this about me,” but if you put all that together along with all this other metadata, where you are, what time of day it is, who’s near you, who’s in your contact list, when you combine all these things together the amount that you can infer from that is just unbelievable.
Daniel Davis: It is, it is. There’s another example actually. There was recently… it came to light that there’s an Android permission, which at the time you couldn’t not allow it, you couldn’t turn it off in their permission settings, and it was your activity, your current activity, so it could work out if you’re at rest, if you’re lying down, if you’re walking. And again, this is something that is available to app developers so apps could work out. And a very good point was made. On its own I don’t really care if people know that I’m lying down or I’m standing up or I’m walking. There’s no privacy risk there. And fair enough, that’s a good point. It’s when you tie it together with lots of other data points, that’s when the privacy risk is exposed. For example, location is very easily available to app developers from your smartphone. So let’s say the activity data says that you’re walking. The location data says that you’re not actually going anywhere. So they could infer that maybe you’re on, what do you call it? The walking…
Carey Parker: Treadmill?
Daniel Davis: Treadmill, thank you. You can tell I don’t go to the gym, obviously! So the could tell maybe you’re on a treadmill and you’re possibly at home, possibly at a gym. But either way it looks like you’re interested in fitness. And therefore they can use that to then sell you fitness ads or whatever. That’s a very innocuous example but they can tie various other data points together and work out other hobbies. And some people might have hobbies that they don’t necessarily want to share with other people.
Carey Parker: Absolutely. Yeah, my brain went somewhere totally different with that. I’m not going to bring it up. I’m not going to tell you where it went but I think you can figure it out! So yeah, I could see how that could be…
Daniel Davis: Exactly, you have the right to keep that private.
Carey Parker: Wow. So this has been a big difference between iOS and Android for a long time. Android has been closing the gap in terms of these permission things. And one thing I used to love about iOS that used to be different is that at any point, for any app you installed, you can go into the privacy settings and you can change your mind about what you allow these apps to access or not. Maybe when you first installed it you said, “Oh yeah, I don’t care if you have my location.” And then you got to thinking about it, “Why does this game need to know where I’m physically at?” So you go back in your private settings and you turn off location.
Android for a long time was set it and forget it. It was you installed it, you asked it once and as soon as you gave it you couldn’t revoke it. I believe that’s changed now with modern Android. You can go back after the fact and modify these things. But few people do and I wonder how many people actually question when that list pops up, “You’re installing this app and this app would like to do these 20 things. Are you going to allow that?” How many people actually go through and think about each one of those?
Daniel Davis: Yeah, not many I think. And even the people that do, it is possible that apps have been updated and some settings might have been reset. Just the other day my wife was looking at, I don’t know why, but she was looking through her permissions for some reason and she noticed that Instagram mic was on, and we’d definitely turned it off. So maybe it’s because she uninstalled it, reinstalled it or updated it or something. Or just somebody had touched the phone without knowing what they were doing, that’s also possible.
But these things can change. It’s definitely worth having this in the back of your mind, every now and then go back and look through both Android and iPhone. They both have the ability to set their permissions much, much better than it was a few years ago. And it’s definitely worth going through. When you install a new version of an app, it’s also possible that they could’ve asked for increased permissions, and totally legitimately. But it’s very easy just to click yes, yes, yes. It’s worth going back and just double checking. And equally, getting rid of apps that you don’t use anymore. Because even if you don’t use it, if it’s still there then it could potentially still be collecting data.
Carey Parker: So one of the creepiest tracking things I’ve heard of with any mobile app has been ultrasonic tracking. Are you familiar with that?
Daniel Davis: Yes. I used to work in the TV space a little bit, web on TV, and this is one area that is potentially exciting because you can link mobile websites or apps with TV content and really get an immersive experience. So you’re watching Game of Thrones or something, and then on your phone you can have in-depth character analysis of the people that are actually appearing on the screen. But similarly it obviously can then be used to work out, “Okay, you’re doing this on the TV and you’re doing this on the phone, we can target you on the phone or we can target you on the TV.”
And from a technical point of view it’s really interesting how it works. There are actually two methods of working out what you’re watching on TV using audio. The older way I suppose was putting in a very high frequency tone in the soundtrack of the TV or the movie, the audio part. And so it’s not audible to us, so normal humans couldn’t hear it. It’s very, very high. But it could be detected by software. And so if it’s at a certain pitch or a certain frequency then the software could pick it up. Or if it changes frequency for example. It could be three notes that are played that we can’t hear, the software can and then so it knows, “Okay, these three notes mean that it’s this movie,” or something.
What happens a lot now is that because data storage space is just so freely available that we can actually create kind of fingerprints called audio fingerprinting where the microphone can listen to what is going on in the background, what’s on TV in the background, and then check it with a massive database and say, “Okay, this bit is from this particular content, this documentary or movie,” or something and link it like that. So yeah, with a particular software app on your phone, with the right technology, it’s very easy to work out what you’re watching.
Carey Parker: So probably the example that most people might actually be aware of is the Shazam app that was originally I think bought by Apple. But the Shazam app is that way, it listens to a snippet of whatever song you’re listening to and it tells you, “Oh, that’s Led Zeppelin, Stairway to Heaven,” because it’s taking just a short sample of that song and fingerprinting it, distilling that down to a fingerprint and checking some massive database in the sky and saying, “That’s part of Stairway to Heaven.” It’s the same kind of technology, right? Someone prerecorded this program or they have the audio for the program so they can sample it, and then they can figure out what you’re watching. So tying it back to the apps thing, so this is you’ve installed some app, probably something for free, and one of the permissions it asks for that it didn’t really need was microphone access. So if it’s listening in the background to everything you’re watching on television then it could be reporting what you’re watching.
Daniel Davis: Yep. The technology itself is potentially really useful, services like Shazam, it’s great if you’re just in a nightclub or something. But yeah, like so many things the technology can be used for ways that they weren’t really intended or ways that we never realize. It’s only when you get security researchers exposing it that we discover the extent of it. And more and more we’re very happy to have devices in our homes with a microphone that is always switched on.
Carey Parker: Yeah. Yeah, I’ve got a bunch of them myself. It’s one of the weird… I’m a privacy kind of guy but I just cannot ignore the allure of these Echo products. They’re so cool and I’ve got them all over my house. Yeah.
Daniel Davis: Yeah, it’s difficult. I’m, yeah like you, I like the latest gadgets and stuff. But I also like protecting my privacy. And sometimes it is difficult so we want more awareness of this, which is what we’re trying to promote. We want more products that we can choose to protect ourselves and we want better regulation on the part of the company so they have to be more transparent about what they’re collecting and some things are off limits.
Carey Parker: What I tell myself, what lets me sleep at night is that I know that at least with the Amazon products all the guys out there are watching. If these guys ever tried slipping up I’m sure they will be caught immediately. Whereas some of these really cheaper knockoffs, who knows if anybody’s keeping an eye on those guys or not? But if my Echo devices all of a sudden start tailing on me, I’m sure that the security researchers out there are going to let me know.
Daniel Davis: Yeah, that’s a good point. I suppose with Amazon as well, for a long time they’ve been saying, “Hey, based on stuff you’ve been looking at you might be interested in this.” So we kind of have this feeling that, yeah, we know that they’re using our data to try and sell us other stuff. It’s when stuff happens in the background, like a weather app is then being used to sell us something completely unrelated through a couple of third-party data agencies, that’s when it’s a bit more worrying. And people, if they’re not aware of it then they’re not able to do anything about it.
Carey Parker: So let’s talk about a couple… So we talked a lot about privacy. Let’s talk a little bit more about hard-core security. What kind of tips do you have for people? For instance, I often tell people to make sure that you encrypt your device drives and things like that. Are there any other security related advice you might give for locking down your phone?
Daniel Davis: Yes, encryption is a big one. And it’s very easy on phones now. On iOS, the fact that you put in a PIN, a password. I recommend a password. In fact, everybody should do this anyway, especially if you have things like your email on your phone. All you need to do is switch on your phone to access your email and then you’ve got access to medical accounts and financial accounts and all sorts, so the very first thing you should be doing is setting a passcode or, in particular a password on your phone. If you do that, on iPhone immediately that encrypts the device.
Encryption sounds kind of scary but with mobile devices you don’t need to do anything and there are no extra steps involved apart from using a password. So the encryption happens in the background. And these days it doesn’t really slow things down noticeably for users. So encryption means that you put in a password, if somebody else has access to your device, they steal it or you lose it or something, all they can see on your phone is random numbers and letters. They can’t see the individual files. If it’s not encrypted somebody could get hold of your computer, for example, and even if it’s switched off the hard drive has all the files on it and it’s pretty straightforward to go and read all those files.
Carey Parker: So you talked about PIN codes and bumping that up and going with a password. How do you feel about fingerprint access?
Daniel Davis: Personally I don’t use fingerprint access on my phone. The reason is that a fingerprint is something that we can’t change. If it ever gets out, and unfortunately there are some services that require, like immigration or something, that require fingerprints. There’s not a lot we can do. But I like to limit the amount of services that have access to my fingerprints.
Now I should point out that when your fingerprint is scanned and put into a database, it’s not a picture of your fingerprint. It’s converted into what we call a hash, a series of numbers and characters that is supposedly unique and represents your fingerprint. So there are not pictures of your fingerprint being saved. But even so, the data about my fingerprints is somewhere and you can’t change your fingerprint. You could by putting a fake plastic one but then you’re probably breaking some law. So it’s much, much easier to have a password that you have control of and will always have control of. So the convenience is there, I can see that. I think the technology’s probably very, very strong but there are negatives to it. So I would want people just at least to be aware of that and make their own choice.
Going back to encryption actually. Sorry, I just talked about iPhone but on Android as well I should point out, it’s also possible to encrypt the device, again in the settings, the security settings within Android. I think you have to have it plugged in when you do it and it might take a little while but it’s pretty straightforward. And again, to actually use it once it’s done you just need a password. It’s just a do it once and forget it kind of thing.
Carey Parker: Fantastic. All right, so let’s wrap up a little bit. I know we talked about some other great tips and tricks. There were some apps I wanted to bring up and absolutely bring up yours. So talk to us a little bit about… Let’s start there. Talk to us about the new app that you guys have rolled out last week, or this week actually in preparation for Data Privacy Day which is Sunday. Tell us about all of that.
Daniel Davis: Yeah, thank you very much. It’s something that we’ve made available at the moment on Android and on iPhone. We had an app previously which was focused on search. Now we have an app which is a mobile browser. We have the same technology in a desktop extension as well so if you prefer to use a desktop browser then you can just install the extension. As we’re talking about mobile today, within the mobile app you can just browse the web as you normally do but in the background we’re blocking these invasive trackers that we talked about earlier that follow you around. So we try to do that seamlessly so you don’t notice it.
And if you want to, you can, there’s a little icon which will show a privacy grade, so A, B, C, D for example, if you click on that little icon it will show you the trackers that we have blocked for that site. And if you want, you can switch it off for a particular site, so you can disable it. You’ve got control there. It also shows you all the things we’ve blocked over time. And it’s quite surprising to see how many blockers have been blocked. Sorry, how many trackers have been blocked.
Carey Parker: Right.
Daniel Davis: The privacy grade also gives you an indication of obviously how much the particular website you’re looking at is respecting your privacy, not just through the trackers that they have but we also work with a website called tosdr.org, so “Terms of Service; Didn’t Read” it’s short for. And what they do is a very good service. They try to distill complicated terms of services for particular companies and websites into something that’s humanly readable and give that a kind of grade. Unfortunately this service, it takes a long time to do that. You need somebody to go and read through all the legalese.
Carey Parker: Yeah.
Daniel Davis: So it’s not something that can be done automatically. A lot of work is done. But we use that, the gradings, together with our own analysis to work out how much a particular website is respecting your privacy. And then you can see it, as I said, as a letter grade. So it’s nice and easy. A couple of other things we do, I mentioned earlier about encrypted connections. And so what we’ll do, we’ll try to enforce an encrypted connection if it’s available. So you go to a website that’s not encrypted, we’ll check to see if there’s an encrypted version and switch you to that sort of automatically in the background. And finally, if you want to delete all your data from your browsing session we have a little picture of a fire actually, you press that and you get a nice little fire animation going up the screen, we’re burning all your data so all your history is now gone, don’t worry about it.
Carey Parker: That’s fantastic. And a lot of people I think, on iPhone in particular, because Apple kind of enforces that you use Safari for your main browser, a lot of people don’t even think about using something different. And there actually are several other browsers and this is obviously one of them that people should strongly consider if they want to be protecting their privacy. One more question about that, since it’s basically doing the tracking blocking, does that effectively mean it’s also blocking ads as well?
Daniel Davis: If they are ads that contain tracking code, if they’re tracking ads or invasive ads, then yes it will. If they’re just basic static ads that are just coming from, as in the case of DuckDuckGo, just from a keyword that you searched for and that’s all, not connected with any other tracking behavior, then it will leave those.
Carey Parker: So this is obviously one of the alternative apps. There’s so many standard apps that people use for these things that are very popular and I don’t think they consider that there might be more secure or private alternatives. For example, email or messaging, do you have any recommendations along those lines?
Daniel Davis: For messaging we very much like Signal which is Whisper Systems I think is the name of the company. That’s open source, it’s freely available and, again, Android and iOS versions available. And all the encryption is done in the background there. So with the web, there are some websites that are encrypted, some aren’t. With this particular Signal messaging, and some other similar services as well, you’re sending messages and it’s encrypted in the background. You don’t need to worry about it, people can’t see what you’re sending.
Carey Parker: Yeah, I recommend Signal often.
Daniel Davis: Yeah. For email, there are many services. We use FastMail in house, have done for a long time. And it’s a paid service but, going back to what I mentioned earlier, if you’re paying for something then there’s less incentive for that company to use your data and give you a free service but then make money selling it in the background. So we’ve been very happy with FastMail. There is another service, more recently set up, called ProtonMail, which provides private email. And I have a feeling that is encrypted between ProtonMail users.
Carey Parker: Yes, yep. And they actually have support for PGP as well. So if you wanted to, if you’re going between ProtonMail and something else they do it. It’s obviously, maybe not obviously, but it’s a little more clunky if you’re not going ProtonMail to ProtonMail unfortunately. Email was just never built for encryption so they have to kind of bolt it on and it makes it kind of clunky.
Daniel Davis: Yes, yeah. Unfortunately, yeah. We have several more suggestions actually of services like this on our blog which is called https://spreadprivacy.com is the name of the blog. We have one popular article on there called “How to Live Without Google”.
Carey Parker: Yes.
Daniel Davis: And it obviously focuses on Google, but even if you’re not using Google already it’s got suggestions for email alternatives, browser alternatives and things like that, messaging services, mostly focused on privacy.
Carey Parker: You’ve got actually several wonderful tutorials out of that site I think. I don’t know if they’re all under that same umbrella but you’ve been putting out all sorts of great tutorials about privacy and things that I will definitely put in the show notes for people to check out. Really great guides. And your blog, you guys have got a great blog. I follow it all the time. So DuckDuckGo has done some really fantastic stuff and they’re obviously branching out and doing more. It’s just wonderful. It’s great to see that there’s companies out there succeeding doing these kind of things.
Daniel Davis: Thank you very much. Very kind of you to say so. Yeah, also on the blog, we talked about mobile today, and we do have tips for mobile devices. And so we’ve got various steps that you can do, with screenshots, to make it really easy to check permissions on your phone or set up things so you can be as private as possible. And yep, we do what we can. We’re trying to help users. We’re trying to increase awareness, give people choice and control of how their personal data is dealt with online.
Carey Parker: So I would encourage people to go check these things out, install these things, tell you friends about them. Word of mouth is really important on things like this and showing other people that you care. It’s kind of like voting with your wallet, in this case it’s free, but showing people that you’re dedicated enough to do these things and give these guys some… Be able to say that we have this many million users just helps. It helps. There’s a certain critical mass I think that are needed before these things catch on. And so I would highly encourage everybody to check these things out, install them, tell your friends and family about them. It’s really wonderful. And Daniel, thank you very much for coming back on. That was extremely insightful and it was great talking to you again. We’ll definitely have to bring you back in the future.
Daniel Davis: Well thank you very much. Yeah, it’s always a pleasure and I enjoy speaking to you and all the rest of the episodes that you’ve done as well. You’ve built a great library of really useful information and guides for people at any level I think. Well done.
Carey Parker: Thank you very much. Take care.
Daniel Davis: Okay, bye.
Carey Parker: And that’s going to wrap up our show today. And thanks again to Daniel Davis for coming on and talking to us once again. Always fun to bring him on for the show. And go to https://duckduckgo.com.com and if you go to the show notes on America Out Loud you’ll see my notes there. You can find some links to some of their tools that they’ve got there, including some great privacy guides that they’ve got on their website as well. We didn’t get to talk too much about those but they got some great tutorials about how to lock down all of your devices, not just your mobile phones. And of course the DuckDuckGo browser, you can use that and make that your default browser and know that all the search terms that you’re putting in are kept quiet. So that is all for today. And as always folks, don’t get caught with your drawbridge down.
For Further Insight:
- Website: https://duckduckgo.com
- Twitter URL: https://twitter.com/duckduckgo
- LinkedIn URL: https://www.linkedin.com/company/duck-duck-go
- New DuckDuckGo mobile app: https://duckduckgo.com/app
- DuckDuckGo privacy guides: https://spreadprivacy.com/tag/device-privacy-tips/
- Help me to help you! Visit: https://patreon.com/FirewallsDontStopDragons