Kaspersky Observes Data Privacy Day By Sharing Privacy Predictions for 2021
2020 saw an unprecedented increase in the importance and value of digital services and infrastructure. From the rise of remote working and the global shift in consumer habits to huge profits booked by internet entertainers, we are witnessing how overwhelmingly important the connected infrastructure has become for the daily functioning of society.
What does all this mean for privacy? With privacy more often than not being traded for convenience, we believe that for many 2020 has fundamentally changed how much privacy people are willing to sacrifice in exchange for security (especially from the COVID-19 threat) and access to digital services. How are governments and enterprises going to react to this in 2021? Here are some of our thoughts on what the coming year may look like from the privacy perspective, and which diverse and sometimes contrary forces are going to shape it.
1. Smart health device vendors are going to collect increasingly diverse data – and use it in increasingly diverse ways:
Heart rate monitors and step counters are already a standard in even the cheapest smart fitness band models. More wearables, however, now come with an oximeter and even an ECG, allowing you to detect possible heart rate issues before they can even cause you any trouble. We think more sensors are on the way, with body temperature among the most likely candidates. And with your body temperature being an actual public health concern nowadays, how long before health officials want to tap into this pool of data? Remember, heart rate and activity tracker data – as well as consumer gene sequencing – has already been used as evidence in a court of law. Add in more smart health devices, such as smart body scales, glucose level monitors, blood pressure monitors and even toothbrushes and you have huge amounts of data that is invaluable for marketers and insurers.
2. Consumer privacy is going to be a value proposition, and in most cases cost money:
Public awareness of the perils of unfettered data collection is growing, and the free market is taking notice. Apple has publicly clashed with Facebook claiming it has to protect its users’ privacy, while the latter is wrestling with regulators to implement end-to-end encryption in its messaging apps. People are more and more willing to choose services that have at least a promise of privacy, and even pay for them. Security vendors are promoting privacy awareness, backing it with privacy-oriented products; incumbent privacy-oriented services like DuckDuckGo show they can have a sustainable business model while leaving you in control of your data; and startups like You.com claim you can have a Google-like experience without the Google-like tracking.
3. Governments are going to be increasingly jealous of big-tech data hoarding – and increasingly active in regulation:
The data that the big tech companies have on people is a gold mine for governments, democratic and oppressive alike. It can be used in a variety of ways, from using geodata to build more efficient transportation to sifting through cloud photos to fight child abuse and peeking into private conversations to silence dissent. However, private companies are not really keen on sharing it. We have already seen governments around the world oppose companies’ plans to end-to-end encrypted messaging and cloud backups, pass legislation forcing developers to plant backdoors into their software, or voice concerns with DNS-over-HTTPS, as well as more laws regulating cryptocurrency being enacted everywhere, and so on and so forth. But big tech is called big for a reason, and it will be interesting to see how this confrontation develops.
4. Data companies are going to find ever more creative, and sometimes more intrusive, sources of data to fuel the behavioural analytics machine:
Some sources of behavioral analytics data are so common we can call them conventional, such as using your recent purchases to recommend new goods or using your income and spending data to calculate credit default risk. But what about using data from your web camera to track your engagement in work meetings and decide on your yearly bonus? Using online tests that you take on social media to determine what kind of ad will make you buy a coffee brewer? The mood of your music playlist to choose the goods to market to you? How often do you charge your phone to determine your credit score? We have already seen these scenarios in the wild, but we are expecting the marketers to get even more creative with what some data experts call AI snake oil. The main implication of this is the chilling effect of people having to weigh every move before acting. Imagine knowing that choosing your Cyberpunk 2077 hero’s gender, romance line and play style (stealth or open assault) will somehow influence some unknown factor in your real life down the line. And would it change how you play the game?
5. Multi-party computations, differential privacy and federated learning are going to become more widely adopted – as well as edge computing:
It is not all bad news. As companies become more conscious as to what data they actually need and consumers push back against unchecked data collection, more advanced privacy tools are emerging and becoming more widely adopted. From the hardware perspective, we will see more powerful smartphones and more specialized data processing hardware, like Google Coral, Nvidia Jetson, Intel NCS enter the market at affordable prices. This will allow developers to create tools that are capable of doing fancy data processing, such as running neural networks, on-device instead of the cloud, dramatically limiting the amount of data that is transferred from you to the company. From the software standpoint, more companies like Apple, Google and Microsoft are adopting differential privacy techniques to give people strict (in the mathematical sense) privacy guarantees while continuing to make use of data. Federated learning is going to become the go-to method for dealing with data deemed too private for users to share and for companies to store. With more educational and non-commercial initiatives, such as OpenMined, surrounding them, these methods might lead to groundbreaking collaborations and new results in privacy-heavy areas such as healthcare.
We have seen over the last decade, and the last few years in particular, how privacy has become a hot-button issue at the intersection of governmental, corporate and personal interests, and how it has given rise to such different and sometimes even conflicting trends. In more general terms, we hope this year helps us, as a society, to move closer to a balance where the use of data by governments and companies is based on privacy guarantees and respect of individual rights.
To increase privacy control over users’ data, two Kaspersky experts have combined the results of their research and upgraded the openly available TinyCheck tool. Initially developed as a stalkerware detection tool for service organizations working with victims of domestic violence, TinyCheck now also offers help to uncover all types of geo-tracking apps.
In December 2020, Apple and Google prohibited any apps in their stores which use X-Mode’s technology that secretly enables tracking and selling of location data. Several months prior to the tech companies’ decision, Kaspersky’s Global Research and Analysis Team (GReAT) director, Costin Raiu started to analyze such apps after he had seen a visualization that identified people’s movements using their GPS data made available by X-Mode.
Raiu found more than 240 distinct apps with X-Mode’s tracking technology which in total have been installed more than 500 million times. Such data collection becomes possible when developers embed a component – a software development kit (SDK) – in their app. The problem with these tracking SDKs is that it is impossible for a user to tell whether an app contains such location tracking components. Also, the app may have a legitimate reason to ask for the user’s location as many rely on location to function properly, but such an app might also sell the GPS data.
In addition, any app can contain more than just one tracking SDK. For example, while Raiu was looking at an app that included the X-Mode SDK in question, he discovered five other components from other companies that were also collecting location data.
Making life harder for secret trackers
Now, Raiu’s findings have been integrated into TinyCheck, an open-source tool developed and published in November last year by Félix Aimé, another of Kaspersky’s GReAT experts. Initially, TinyCheck was developed to help tackle the issue of stalkerware.
“Secret tracking of users and using their data without their knowledge should not happen for any reason. Having the combined list of indicators of compromise for mobile trackers and stalkerware integrated in TinyCheck, users are able to increase their privacy control. TinyCheck is therefore designed as an open source tool that is freely available to anyone, and one which the security community can share and contribute their knowledge to,” comments Félix Aimé, a Kaspersky GReAT security researcher.
In addition to using TinyCheck, there are a few tips to follow to lower the chances of being tracked by such apps and services, which involve limiting apps’ permissions:
– Check which apps have permission to use your location. The following information shows how to perform such checks on an Android 8 device (later versions do not differ significantly) and an iOS device. If an app does not need location permission, you can simply revoke it.
– Give apps permission to use your location only while they are being used. Most apps do not need to know your location when they are running in the background, making this setting ideal for many of them.
– Delete apps that are not used anymore. If the app has not been opened in a month or more, it is probably safe to assume it is no longer needed; and if this changes in the future, it can always be reinstalled.
– Use proven cybersecurity protection, such as Kaspersky Internet Security for Android, which protects you against all kinds of mobile threats.