Pluralistic: 23 Jun 2022


A Black baby playing with alphabet blocks; the blocks have creepy staring eyes and XML tags on their faces.

Today's links



A line of kindergartners horsing around in a toddler-sized institutional bathroom, looking into the mirror. Out of the mirror is the glaring eye of HAL 9000 from 2001: A Space Odyssey. The kids' reflection is color-inverted, and their reflected, inverted faces are traced with facial recognition geometry lines.

Daycare apps are insecure surveillance dumpster-fires (permalink)

When my EFF colleague Alexis Hancock signed her baby up for daycare, she was told that she had to download a childcare management app – to monitor and specify "feedings, diaper changes, pictures, activities, and which guardian picked-up/dropped-off the child."

https://www.eff.org/deeplinks/2022/06/daycare-apps-are-dangerously-insecure

This was during the lockdown, and the app was a way to comply with social distancing and contact tracing rules, but it was also designed to help with "separation anxiety of newly enrolled children and their anxious parents."

Alexis wasn't the only EFFer with a newborn encountering these apps. Being a digital privacy and security expert, she and her colleagues started to pick apart these apps and seek dialogue with the companies that made them. They discovered a nightmare of bad security practices, worse privacy practice, and yawning indifference to the digital wellbeing of very small children and their parents.

First of all, there was the matter of account security. When Alexis and co started looking into these apps, they all shared a glaring defect: none of them implemented two-factor authentication, "one of the easiest ways to increase your security."

They contacted Brightwheel, a leading childcare app vendor, who proudly announced that they were rolling out 2FA – and that this would make them the only childcare app to support it. Incredibly, this is true. As Alexis writes for Wired: this is "bullshit."

https://www.wired.com/story/daycare-app-privacy-security/

Assessing whether an app has 2FA or whether it doesn't is easy: you just have to poke around in the settings. But a more comprehensive look at app security requires a more sophisticated investigation. EFF undertook a static analysis and network analysis of childcare apps and turned up some disturbing results.

For example, the Android Tadpoles app exfiltrates a ton of data to Facebook's Graph API, as well as extremely granular device info to Branch.io (neither company is mentioned in Tadpoles' privacy policy).

Then there's HiMama, which stores user data in Amazon's cloud – and misleadingly labels this practice as "suited to run sensitive government applications and is used by over 300 U.S. government agencies, as well as the Navy, Treasury and NASA" (none of this activity runs on the Amazon cloud that Himama uses – it's on the AWS Govcloud, a completely separate product).

There's an industry-wide gap in disclosure of which data is collected and how it is used; the disclosures they do make are misleading or incomplete.

Worse, the companies have been vastly indifferent to these problems. In "'We may share the number of diaper changes': A Privacy and Security Analysis of Mobile Child Care Applications," a peer-reviewed paper presented at the 2022 Privacy Enhancing Technologies Symposium, a team lays these problems out in eye-watering detail:

https://www.researchgate.net/publication/358904572_We_may_share_the_number_of_diaper_changes_A_Privacy_and_Security_Analysis_of_Mobile_Child_Care_Applications

Writing for EFF, Hancock makes a series of recommendations to the childcare app industry:

  • 2FA for all admins and staff

  • Address known security vulnerabilities in mobile applications

  • Disclose and list any trackers and analytics and how they are used

  • Use hardened cloud server images. Additionally, a process in place to continuously update out-of-date technology on those servers

  • Lock down any public cloud buckets hosting children’s videos and photos

She also strongly recommends implementing end-to-end encryption between schools and parents: "There’s no need for the service itself to view communication being passed between schools and parents."

The irony here is that all of this is happening in the context of apps, which were sold to us as "curated computing." We were promised that if we ended the practice of software authors providing code to their users, and instead let Apple and Google decide what code we were allowed to run, all the evils of software would go away:

https://boingboing.net/2010/04/02/why-i-wont-buy-an-ipad-and-thi.html

In reality, apps are some of the dirtiest code we use. Muslim call-to-prayer apps harvest their users' data and sell it to ICE and other domestic spy agencies:

https://www.latimes.com/business/technology/story/2020-11-23/muslim-pro-data-location-sales-military-contractors

Period-tracking apps share their users' sex lives, fertility data, location and other sensitive info to all comers, and will be a bonanza for bounty-hunting forced-birth advocates seeking to turn in people who have abortions for cash rewards:

https://web.archive.org/web/20190909221027/https://www.privacyinternational.org/long-read/3196/no-bodys-business-mine-how-menstruation-apps-are-sharing-your-data

Why are apps such a consistent dumpster-fire? Well, for one thing, apps have to be built using the app stores' specs, which are billed as imposing rigor on software authors. In reality, the overheads this imposes has driven app makers to use software development kits that sneak privacy-invading data-collection onto users.

Because apps come from "app stores" and not as standalone software, app vendors can "update" their code with new, malicious behaviors and users can't "downgrade" to the earlier, superior versions. For example, when Audacity was taken over by dickheads who announced that the program would soon come with built-in tracking, users responded by announcing that they wouldn't install the new versions, and the company backed down:

https://hackaday.com/2021/07/23/new-privacy-policy-gets-audacity-back-on-track/

That's not how it works for apps. A couple years ago, a trivial app I used to specify Bluetooth priority (so my phone wouldn't connect to my kid's speaker when I walked past her room) was updated to include intrusive adware that popped up ads every time I unlocked the device. Eventually I figured out what was going on and uninstalled the software, but because this was from an app store, I can't roll back to the superior, pre-adware version.

The revelations about bad data-handling in childcare apps are disturbingly predictable. These are the very same bad practices that Elizabeth Warren, Cory Booker and Ron Wyden have raised with mental health apps like Betterhelp and Talkspace:

https://www.theverge.com/2022/6/23/23179866/elizabeth-warren-betterhelp-talkspace-therapy-pandemic-app-philip-defranco

It's hard to say which is more disturbing: privacy-invading, insecure mental health apps, or privacy-invading, insecure apps that track your toddler's play, sleep, location and diaper changes.

Neither is acceptable.

All of this should be viewed against the backdrop of legislative and regulatory initiatives to force tech giants to give their customers more say over which apps they run, and how. In response, Big Tech companies insist that allowing software developers to directly transact with device owners will expose the public to bad privacy and security practices – insisting, against all evidence, that "mobile" is a synonym for "secure."

One intriguing way out of this mess is by forcing the mobile platforms to fully support Web Apps, or at least to get out of the way developers who want to offer mobile tools to users to make Web Apps fully functional:

https://www.eff.org/deeplinks/2022/06/facebook-says-apple-too-powerful-theyre-right

A Web App is just what it sounds like: an app that is delivered into your browser, and runs inside of it. The Web App experience could be (but isn't) pretty much identical to installing app store apps: choose your app, click install, grant or refuse permissions, get an icon on your home screen:

https://open-web-advocacy.org/

But because Web Apps run in browsers, they can be modified by browser plugins – like ad- and tracker-blockers. And because Web Apps are defined by open standards – not by corporate fiat handed down by monopolists whose own products compete with app developers – anyone can make a Web App development toolkit:

https://www.w3.org/standards/webdesign/

Regular software can spy on users and steal their data, too, of course. But turning "programs" into "apps" didn't solve this problem – it just limited users' ability to defend themselves, making them reliant on two companies to decide what protections they deserve.

Image:
Cryteria (modified)
https://commons.wikimedia.org/wiki/File:HAL9000.svg

CC BY 3.0
https://creativecommons.org/licenses/by/3.0/deed.en

German Federal Archives (modified)
https://commons.wikimedia.org/wiki/File:Bundesarchiv_Bild_183-1986-1013-017,_Grethen,_Waschraum_im_Kindergarten.jpg

CC BY-SA German 3.0
https://creativecommons.org/licenses/by-sa/3.0/de/deed.en

(Image: Cryteria, CC BY 3.0; German Federal Archives, CC BY-SA 3.0 German; modified)

(Image: EFF, CC BY 3.0)


Hey look at this (permalink)



This day in history (permalink)

#15yrsago Open Source Consortium to regulators: Stop the BBC’s DRM! https://web.archive.org/web/20070210062816/http://www.opensourceconsortium.org/content/view/65/55/

#15yrsago Broadcast Treaty wounded and dying! https://web.archive.org/web/20070626103453/https://www.eff.org/deeplinks/archives/005333.php

#15yrsago Podcasting Bruce Sterling's "Hacker Crackdown" https://craphound.com/news/2007/06/23/the-hacker-crackdown-part-001/

#10yrsago St Colin and the Dragon: great torn paper kids’ comic https://memex.craphound.com/2012/06/22/st-colin-and-the-dragon-great-torn-paper-kids-comic/

#10yrsago EFF joins the defense in Charles Carreon v. The Whole Goddamned Internet https://www.eff.org/press/releases/eff-will-represent-oatmeal-creator-fight-against-bizarre-lawsuit-targeting-critical

#10yrsago Bruce Sterling interviewed about the New Aesthetic https://web.archive.org/web/20120626071907/http://davidalbertcox.com/blog/?p=29

#10yrsago Top US drug cop can’t tell the difference between marijuana and heroin https://web.archive.org/web/20120624135651/http://www.rawstory.com/rs/2012/06/20/top-dea-agent-wont-admit-heroin-more-harmful-than-marijuana/

#10yrsago Science fiction in Africa https://www.bbc.co.uk/programmes/p00t4yn2

#5yrsago A Chinese vitamin MLM cult is replacing healthcare for poor Ugandans https://web.archive.org/web/20200925111836/https://www.aljazeera.com/program/episode/2017/6/22/ugandas-health-pyramid/

#5yrsago For the first time, Jeremy Corbyn overtakes Theresa May in UK polls https://www.independent.co.uk/news/uk/politics/corbyn-theresa-may-poll-best-prime-minister-pm-latest-labour-conservatives-a7803911.html

#5yrsago US Copyright Office recommends sweeping, welcome changes to America’s DRM laws https://www.vice.com/en/article/d3zbnz/the-government-wants-to-permanently-legalize-the-right-to-repair

#5yrsago Crowdfunding a pro-vaccination bus to follow the anti-vaxxer bus https://www.gofundme.com/f/craigs-provax-world-tour

#5yrsago Canada: Trump shows us what happens when “good” politicians demand surveillance powers https://www.cbc.ca/2017/what-happens-after-the-good-politicians-give-away-our-rights-cory-doctorow-shares-a-cautionary-tale-1.4170865

#5yrsago A DRM-locked, $400 tea-brewing machine from the Internet of Shit timeline https://gizmodo.com/a-400-smart-tea-machine-gave-this-brit-an-existential-1796219286

#5yrsago John Oliver dared a coal exec to sue him, and now he’s being sued https://www.washingtonpost.com/news/morning-mix/wp/2017/06/22/john-oliver-a-giant-squirrel-and-a-defamation-lawsuit-by-a-coal-industry-titan/

#5yrsago Tumblr is now owned by a phone company, so it’s stopped fighting for Network Neutrality https://www.theverge.com/2017/6/21/15816974/verizon-tumblr-net-neutrality-internet-politics-david-karp

#5yrsago A history of artist Anish Kapoor and his assholic mission to own the color black https://www.wired.com/story/vantablack-anish-kapoor-stuart-semple/

#1yrago Peloton bricks its treadmills https://pluralistic.net/2021/06/22/vapescreen/#jane-get-me-off-this-crazy-thing

#1yrago Juul's junk science https://pluralistic.net/2021/06/22/vapescreen/#smokescreen

#1yrago Improving the ACCESS Act: Six ways to make the most important tech law of the legislative season even better https://pluralistic.net/2021/06/22/vapescreen/#improve-access



Colophon (permalink)

Currently writing:

  • Some Men Rob You With a Fountain Pen, a Martin Hench noir thriller novel about the prison-tech industry. Friday's progress: 554 words (18464 words total)

  • The Internet Con: How to Seize the Means of Computation, a nonfiction book about interoperability for Verso. Friday's progress: 508 words (15175 words total)

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. (92849 words total) – ON PAUSE

  • A Little Brother short story about DIY insulin PLANNING

  • Vigilant, Little Brother short story about remote invigilation. FIRST DRAFT COMPLETE, WAITING FOR EXPERT REVIEW

  • Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION

  • Spill, a Little Brother short story about pipeline protests. FINAL DRAFT COMPLETE

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Monopolists Want to Create Human Inkjet Printers https://craphound.com/news/2022/06/20/monopolists-want-to-create-human-inkjet-printers/

Upcoming appearances:

Recent appearances:

Latest book:

Upcoming books:

  • Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin, nonfiction/business/politics, Beacon Press, September 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Medium (no ads, paywalled):

https://doctorow.medium.com/

(Latest Medium column: "Reasonable Agreements: On the Crapification of Literary Contracts" https://pluralistic.net/2022/06/19/reasonable-agreement/)

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla