Extent of Privacy Problem

By /

Extent of Privacy Problem

What is the extent of the threats to privacy today? How much of our information is already collected?

Location Tracking

The shocking news is that by default today you are tracked 24/7. Your location is easily knowable within meters and in some conditions even more precisely.
How is this accomplished?

  • cameras everywhere
  • facial recognition
  • license plate readers
  • your cell phone
  • WIFI triangulation
  • home IP address

Cameras, Facial Recognition, License Plate Readers

These can be used to know where you are or where you have been and where your vehicle is or has been. Cameras for security reasons are more and more common. But they are also used to gather more usable information by stores, communities, governments, and sundry others. With Facial Recognition being seen by a camera whose feed or recorded feed is fed or can be fed to Facial Recognition is like wearing a sign everywhere you appear in public with your full identifying information on it.

Cell Phone

Cell phones work by ping cell towers. These pings are basically “Here I am and here is my device ID” constant chatter. If there is a SIM card in the device then its ID is also included. The return signal from towers in range, its direction and strength can be used to get approximate position within tens of meters or better depending on density of coverage. Something that is not commonly known is that the phone does this when on even without a SIM card. By law in many countries the phone has to be able to make an emergency call or receive some types of emergency broadcast regardless of SIM presence or status. Nor is this completely turned off in Airplane Mode.

The cell towers themselves can of course record which phones pinged them at what times as well. This and other methods allow geofencing which is finding all phones that were in a particular location at a particular time. As most people purchase phones with credit cards or otherwise identify who they are this tells who was likely in an area at a particular time.

If WIFI is on another bit of pings is “Here I am what WIFI acces points are around me”. The collection of those and the relevant signal strength can be used to get an even more precise location of the device and likely you who are operating it. This can be within less than a meter. How? WIFI geographical location information has been mapped by those Google Street Map vehicles and other companies quite precisely.

And then there is GPS. GPS is receive only by your phone or other GPS device. So the device itself computes as precise location as it can using this.

Your phone gathers location data all the time. Even when location services are off and you are in Airplane mode and even without a SIM. It has been observed that even in these conditions when the phone is back on SIM or WIFI it sends out gathered location information. Location Services being off simply means the known location info will not be shared with Apps running on your phone.

As most people have their phone on 24/7 the phone location information easily pinpoints where you spend much of your time and likely sleep.

IP Address

Every device on the internet has an IP address. This address provides geographic location in some resolution as the distribution of IP addresses is not random but geographically ordered. For a home user your IP address alone is enough to get within a block or so of your home in most suburbs. That IP address can also be used to request more precise and detailed information from your ISP (Internet Service Provider).

Purchase Tracking

Anytime you buy anything using a credit card or debit card that charge is recorded at the issuing bank. In addition any information you enter when making the purchase such as address and name is recorded by the merchant you are buying from as well. Since the credit/debit card is KYC to your true name and/or you entered true name and even true address at point of purchase all such purchase are part of an information graph whose central node is YOU. You can know a lot about a person if everything they buy and how often and from whom is known.

Only cash, prepaid debit and some types of crypto escape this purchase tracking.

This includes what kind of and amount of food, booze, pot, books, causes etc you purchase or donate to.

What you watch on TV

Particularly with the advent of “Smart TVs” it is easier than ever to gather exactly what kinds of programming you consume, how often and with even with who else present and at what location. Since smart TV also typically includes microphone and camera the set can even monitor you watching and monitor audio and visual information in the room. Shades of 1984. The set is hooked to the internet and can and does by default sent all this information out of your house to those interested in such data for business or other reasons. ROKU box as separate device does some of this data collection and sharing but at least it is not watching you or generally listening to you at the same time.

Communications Monitoring

Email

Email protocol was invented long before privacy concerns were much thought about. It has been modified with things like over the air encryption since. Although not all servers that it passes through are forced to be able to handle that encrypted traffic. The big problem is the servers it passes through as they can see by default not only metadata of from address, to address and subject but also the mail contents (if not encrypted). Almost all mail has at least the metadata visible. So this gives a nice graph of who communicates with whom and on what subjects, how often and when.

SMS

SMS is not a secure protocol and is not private by default. While some providers such as Apple have encrypted messaging to at least other Apple users even this is not necessarily fully E2EE encrypted with no way for at least Apple itself to see content. Also SMS goes through cellular networks. In the US and many other lacalities these networks are required to log at least metadata of again who is messaging whom and how ofter. Recently a particular subset called notifications which many apps send and received was found to be being shared with the US government. This gives a pattern of app usage beyond other sources of data. SMS is based on SIM card and there are attacks where a SIM can be effectively duplicated by a hacker (public or private sector) who can then see all your SMS traffic and originate the same. This is especially worrying when many banks insist on SMS based 2FA only.

Phone Calls

In the US by CALEA law who calls whom and for how long is tracked. In addition CALEA mandates that authorities can listen in much more easily than with traditional wiretaps and with less evidence of probable cause. Similar measure exist in the EU and in many other countries worldwide. Some are better and some are worse and even much worse.

Phone OS

Both iOS and Android (on stock Android phones from many manufacturer) send a LOT of data to Apple and Google respectively every 4.5 minutes. This includes phone device id, Apple and/or Google ID what apps are open, what apps are on the phone, what WIFI networks are in the area, IP address, sensor information and much more. In addition apps on the phone may be doing their own telemetry and analytics reporting of detailed user actions within those apps that includes device ID and Apple or Google ID. Depending on the app this can be very sensitive information.

Social Media

It has become too common to “let it all hang out “, sharing a LOT of detail about one’s life, hopes, dreams, mood, schedule, plans and so on on Social Media. There are no real restraints on Social Media companies against mining this information for commercial gain in various ways including selling it to third parties or tuning what you see to keep you hooked based on what you have reacted to or spent time on in the past. If the Social Media provider or someone pushing for such restrictions want to then what you see of what is posted by those you follow, or your friends, or groups you belong to is manipulated based on what the system (not just restricted to that platform) knows about you and whomever is sharing the information in question.

Search Monitoring

What you search for and how often and what links your click and when you get to those pages how long you spend there is by default, with standard search engines and internet setting, tracked and recorded. This information can also be used to determine what you will and will not see when searching for particular things both in general and tailored to “people like you” specifically.

Internet Monitoring

By default every single website you go to and how often, is known by your ISP (Internet Service Provider.). This information can be shared with authorities and miscellaneous 3rd parties.

The majority of websites use some form of analytics of user behavior on the site. The vast majority of this is through Google Analytics. Google is one of the most voracious acquirers of data about people and their activities on the planet. Meta (Facebook, WhatsApp, etc) gives them a run for their money in this. Both have many mechanisms to see other things you do in the same browser where you have opened one of their products and thus associated your ID in their world with your browser session. Facebook has code embedded in those cute like buttons and invisible tracker widgets that not only give the App they are in information but also phone home to Meta.

Browsers via JavaScript allow web apps to ask for a lot of information that can be used to identify you and gather information about your runtime environment. It includes at minimum IP address, type of computer the browser is on, type of browser, your time-zone, OS of the computer, size of browser window and other characteristics, what extensions you have installed and much more. Some of the information is needed for the app to do its work in the browser but much of it is not. This is know as “fingerprinting.”. It can identify you with high probability across multiple web applications and browsing sessions with high probability. Given this even more information about what sites you visit and what you do there typically can be gathered.

DNS (Domain Name Service)

This service converts a URL domain to an IP address that corresponds to the URL. Because the service sees all the URLs you go to it is important it does not log or share this information. By default your ISP provides this service or in some cases such as mobile, Google or Apple does. This information tracks and can be used to profile everywhere you go online and how often.

HTTPS

HTTPS encrypts internet traffic over the air. The way it does this is in conjunction with DNS and Certificate Authority information. This information contains the key that should be used to encrypt the information and the IP address of the trusted site to decrypt the information. The entities that do this are called “Certificate Authorities”. If one of these is malicious, or owned by a government or organization that wants to spy then it can at best record all sites visited. At worse it can substitute its on public key and give it to its own site to decrypt all the traffic before re-encryption with the proper key and sending it on its way to the true server.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top