March digest: Facebook outrage, stolen passwords, and future cars
An important note. Our monthly digests don’t just observe posts from our blog. They also contain noteworthy industry highlights that have not been covered by the blog.
Facebook is generally one of the main stars of nowadays’ data drama. Its activities consistently raise questions about privacy, ad targeting, tracking, and blocking. But this March it has surpassed itself, losing billions of market value after the Cambridge Analytica scandal.
And it’s just the beginning: an FTC investigation and lawsuits are to follow. A lot of money will be lost here, and a lot more will be invested in reforming the app ecosystem that has been promised by Mark Zuckerberg.
All roads lead to Facebook
We made a handy coverage of the story and Zuckerberg’s plans on an app reform. Which promises to be a serious one, so we probably should give Facebook a chance and not stop using it yet. Besides, it’s no use in stopping use it anyway.
Our research showed that more than 40% of popular mobile apps use Facebook’s tools for app developers. Mostly for monetization and analytics. The data that these apps gain access to, go to Facebook.
First consequences: no more Partner Categories for targeting ads on Facebook
As one of the first measures to improve privacy after the Cambridge Analytica scandal, Facebook announced shutting down the Partner Categories feature. It allowed advertisers to target Facebook users based on data from third-party providers, rather than from data gathered inside Facebook
An autonomous car is the best friend of a brand
The smartphone is a great snitch, but a car is a greater one. Your phone tells everything about you to governments and corporations, but a car can tell even more. Connected autonomous vehicles (CAVs) are equipped with a ton of sensors, among them -- biometrical ones that recognize your face, voice, fingerprints. Vehicles know where you live and work, where you are right now and how you are moving to your destination. CAVs’ spreading will mean a whole new era of big data, its use and abuse -- Facebook’s current mischiefs will be of no comparison. Think about just two of the many aspects:
1.Since CAVs will mostly be not owned but shared by drivers, users will have much less control over data harvesting and usage
2.CAVs do actually need all that data in order to operate. Mobile apps often request access to data they don’t actually need, like those famous flashlight apps that want geolocation, access to SMS and calls, and so on. “Greedy” apps can be replaced with more “modest” analogs. The situation with cars is different.
Even passwords are prey
Among the data that apps don’t need but still harvest, there can be the most sensitive types of information, for example, passwords. The funny thing is, app and analytic system developers try to protect sensitive user data from themselves, but the very principles of Internet’s design stand in their way. While they struggle, it’s up to you to protect your password (see, how)
Even Facebook’s VPN spies on users
Sorry, Facebook, it’s about you again, nothing personal, it’s just that you are really ruthless about privacy. An infosec expert Will Strafach dug into Onavo Protect to see what data it sends to Facebook. Onavo Protect is a VPN service owned by Facebook. VPN is associated with security and privacy, and you don’t expect your VPN app to be yet another source of data leaks. But Facebook has its way of doing things. Strafac says:
Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook (graph.facebook.com) as the user goes about their day:
- When user’s mobile device screen is turned on and turned off
- Total daily Wi-Fi data usage in bytes (Even when VPN is turned off)
- Total daily cellular data usage in bytes (Even when VPN is turned off)
- Periodic beacon containing an “uptime” to indicate how long the VPN has been connected
- cellular carrier name, mobile network code, mobile country code, locale/language, iOS version, and Onavo app version
Yet another technique of passing ad blockers
An ad network investigated by Qihoo 360 Netlab team utilized a domain generation algorithm (DGA) for bypassing ad blockers. The DGA generates new domain names to replace the ones blocked by an ad blocker when it stops ads being requested from advertising servers.
Besides showing ads, the network also deployed a copy of the Coinhive in-browser Monero miner. Fortunately, AdGuard’s apps know how to deal with DGAs. Our in-browser mining detection method is not that simplistic and we don’t rely on just blocking known domains.
YouTube keeps not keeping their promises
Back this January YouTube announced a ban on non-skippable 30-second ads. But, as AdAge have noticed, “YouTube video clips in shows from NBCUniversal, Viacom, Turner and other networks still run some 30-second pre-roll ads”. A spokesperson from YouTube commented: “a very small number of impressions coming from third-party ad sellers might still be working its way through our systems”.
YouTube loves ads. It has a paid version, YouTube Red, that is supposed to be ads-free. But last September Reddit users saw some ads there. And it was not a mistake: Youtube Red is free only of ads served by Google itself, and only in videos. Content creators can embed different types of ads and promotions in their videos.
