Recently I faced that most people don’t really understand what corporations like Google or Facebook are doing and why their services are free of charge but they have enormous profit at the same time.
To be honest with you, I didn’t understand the whole scale of it either and only recently I decided to get rid of Facebook, Microsoft services and most of Google services (it’s really hard to stop using all of them) because of my privacy concerns. Here I’m going to tell you why I did so and I’ll try my best to explain what these companies are doing or what we let these companies to do with our data.
A small disclaimer.
Obviously, some things here I just assume as a software engineer from my technical perspective and it’s very hard to prove most of the assumptions without knowing how exactly the services work inside. So, I’m just trying to imagine how they could work to make the things they do possible.
Companies trick people to give away their data
If you’re looking for a short answer so this is it: ”Companies trick people to give away their data and then they make money out of it”. There are some ways to use your personal data for profit such as contextual advertisement or global researches. And some people would say “So what? They provide me with such cool services free of charge, so let them use the damn data!”. But are you sure you understand what kind of data these companies are using?
The truth is that big corporations such as Facebook, Google, Apple, Microsoft, etc. already know almost everything about their users and do their best to know even more covering this with their superconvenient features which are supposed to make your life easier. And people buy it! In fact, they just made their users addicted to their services, devices, infrastructure and most of them are not able to stop using them anymore.
I’m sure that other companies provide with similar features, but about Google I know the most in comparison, so let’s talk about it.
Google Home. Have you ever thought that this thing is listening to each word you say at home (otherwise it would not be able to react on certain phrases) and is able to send it to Google servers, does it or not it’s hard to say but what if it does? Same about other home voice assistants like Siri or Alexa.
Not a home assistant user? Okay, let’s talk about new Pixel 2 by Google. Have you heard of “Now playing” feature? Ever wondered how it works? Well, it streams your mic audio in real time to Google servers which have enough power to make the match with a playing song. I’m pretty sure it’s impossible to implement it otherwise.
Not a Google Pixel user? Maybe you’re using Android. Have ever visited your activity feed? Any app you run, any action you perform on your device, any word you say to Google Assistant is sent to Google by default. Of course you can turn it off but then you don’t have some Android features like Google Assistant. Also, you might find some interesting stuff on the activity management page like your search history, location history, etc. Also, don’t forget about sport activity trackers/apps.
Not an Android user? Maybe you’re one of the billion Gmail users. Did you know that Google scans your email for adjusting contextual ads for you? Who knows what else they’re doing with it? Nobody can tell except Google itself.
Also, good to know that if you’re logged in a Google account and visit any web-site with Google Analytics installed, Google has a record that you’ve been there even if you’re not using Google Chrome. Perhaps that’s why Google Analytics has such accuracy saying “your website visited X men, Y women and their age is A-B”. Otherwise how would they know this data? I think many of us saw a Google Ads banner with some food from a delivery service after visiting their website or some stuff from Amazon which you looked at.
My point is: when you hear about a new fancy feature from a corporation, first think what data you’re sharing with the corporation to make this feature possible and how company can use this data for bad. If you’re fine with it — it’s you choice.
Real life examples I’ll give some examples that I personally know of.
Once, I woke up, opened the Facebook app as usual and realized that people in my friend suggestions are guests of my friend’s birthday party from the day before. And that was weird, I didn’t see such suggestions before I met them there. But how did Facebook know about that? My theory is Facebook tracks your location and if you’re near to other Facebook users for some time it assumes you know each other and tries to create a social connection between you all. Sounds harmless, right? But do you really want Facebook to know whom you’ve met and where? Maybe what stores/shops you’re visiting? Doctors? What about patient’s confidentiality?
Some people even reported over a year ago that Facebook could listen to your conversations and use some keywords in contextual ads in your feed. And that’s totally possible if you have Facebook Messenger installed. It has access to your mic any time.
Every single picture you’re taking on a mobile device has an EXIF header by default that contains some meta information about the picture including the location where the picture was taken. If you send/upload/share the picture think twice, your picture can tell people where you live. Fortunately, some services trim this header automatically but some don’t. There are plenty of online services or apps to do that but I personally don’t trust them either, so I use ImageMagick and this CLI command on my computer:
mogrify -strip picture.jpg
Once, I conducted an experiment with Skype long time ago. Back then it didn’t have any content preview features for links. I ran a web-server on my own domain that handles only a special link I generated for the experiment. It was about 256 random characters long and I never shared this link with anybody except 3 trusted contacts on Skype whom I asked to not open this link. I trust these people that they didn’t. After some time my web-server registered a request from the USA (all my contacts were based in Russia). What does it mean? For me it means Skype was (maybe is) scanning its conversations and visits links from them gathering some additional information and I had the proof. Also, that means that no conversations on Skype are confidential because there was no way to guess this link on my server.
Is you favorite messenger secure? Hard to say. But what I can say for sure — unless it’s open source, uses P2P encryption without sending encryption keys over network nobody can say it’s secure. If anybody does — it’s a lie.
For instance, WhatsApp is not open-source — nobody knows how it works inside and I believe it sends encryption keys over network otherwise you would not be able to see the message history on other devices.
Other messengers like Telegram are open-source (at least the protocol and clients) and have P2P encryption but they mislead their users claiming they are secure because by default they’re not. Only secret chats available on mobile devices are secure — the rest is not and it’s very important to understand.
The fact that corporations have so much power over their users scares me. Not because they’re trying to manipulate all of us to buy useless stuff and make money on us — I don’t like it of course but it’s harmless most of the time.
I’m afraid of people who have access to this data and what they’re able to do with it. It’s not a secret that intelligence and security services are able to get access to any company’s data if they want to, unless it’s technically impossible when you have an encryption key on your local device only and never send it via network (like PGP or Signal).
These organizations will never stop reaching their goals and if you’re on their way they can set you up, blackmail you or who knows what else they can do. There plenty of movies that demonstrate us how simple it is. And the truth is that you’re providing all needed tools for that yourself and every year you’re giving more and more abilities to this people to control you buying new devices and using new services for your convenience. And you pay for your own surveillance yourself, think about it.
What can I do?
That’s a very good question. Whatever you do, you’d make your life more complicated and you have to accept it first. If you really care about you privacy you can do for example something like this:
- Remove as more social media accounts as you can
- Turn off any kind of activity tracking in all the apps/services you’re using. Here you’ll have to sacrifice some features and convenience
- Switch from Google services if you can
- Use Firefox with “Do not track” and containers and put all web-sites which you think can track you in a separate container so they can’t track what web-sites you’re visiting outside the container
- Any time you share important/sensitive information with someone use PGP and never transfer your private keys over network, use physical devices for that only
- Remember that your smartphone, laptop and basically any device is potentially a tracking/surveillance device that can listen and watch what you’re doing. If you have a confidential conversation leave your devices out of it or put them into an isolated environment. For example, you can put your smartphone into a microwave and it would be enough to block any transmission because of the Faraday cage effect
- Be careful and think, always
Seems like we didn’t notice how we made ourselves subjects of mass surveillance. It’s easier than ever for governments to have full control over population of their countries and we help them to do so as hard as we can paying for new devices, using popular services and public systems.
I’m not saying we must ignore and not use any of this. I’m saying we need to understand what we’re doing and we must be careful about what exactly we share with the corporations and as a consequence with governments who would not stop if you become an obstacle on their way. I hope this article will help to build awareness around this.
This is another write up of my recent talk where I share what tools and techniques I use to protect myself from being hacked.
This is a write up of my recent (if can call October 2018 recent) talk that I gave for my colleagues. It's about typical attack vectors used against web-apps and how to decrease the attack surface of the apps.
In this article I will try to explain my point of view on some problems you might face when your company is growing. Also, what exactly is growth and why there are some very wrong things about it.