Feel like you’re being watched? It’s probably because you are.
Entefy is developing cyber security technologies that protect users’ private data, so we’re naturally very interested in what we call “data trackers,” digital surveillance systems designed to go unnoticed as they capture your sensitive personal data.
Not all data trackers are secret or even nefarious. Some surveillance is disclosed through Terms of Service or other user agreements. After all, it’s become a rule that if you didn’t pay for the app, you’re the product—your usage will be collected and monetized, usually through targeted advertising.
Data trackers come in all shapes and sizes. They can take the form of security vulnerabilities—like the example below of hackers stealing smartwatch data to deduce ATM PIN codes from the motion of the victim’s hands. Others we simply accept as facts of 21st century life or fair payment for free services we can’t live without. Still others are just plain disturbing, like toys designed to record children while they play.
Below we’ve assembled a list of 39 different data trackers that Entefy has researched over the past year. The point of this article is education: to provide you with information about data collection activities that can easily go unnoticed. Informed digital consumers can become secure digital consumers. But at the end of the day, it’s difficult to read about all of these data trackers and not end up feeling just a little bit icky about the sheer number of companies profiting from your personal data.
The items below were first covered in the following Entefy articles:
- Hiding in plain sight: 8 digital security threats in everyday life
- 10 signs data privacy is the new Wild West
- Seven new assaults on data privacy
- Collected, bundled, and sold: your sensitive private data
- Data trackers are watching your every (digital) move
Secret and not-so-secret data trackers and cyber security threats
- Think you’re safe from privacy violations at work? You’ll probably want to know that one report estimates 15% of the Fortune 500 make use of secret tracking devices hidden in lights and ID badges. One surveillance vendor reports that 350 different companies are using its products to monitor “conference room usage, employee whereabouts, and ‘latency’—how long someone goes without speaking to another co-worker.”
- The CEO of iRobot, the maker of the popular Roomba automated vacuum cleaner, caused a stir after apparently suggesting the company was seeking deals to sell data about the layout of users’ homes to third parties. The company later clarified that it didn’t have any plans to sell the data without users’ consent. The situation shines a spotlight on the ongoing tension between personal privacy and the monetary value of certain types of consumer data.
- Achieving the elite heights of pro sports apparently doesn’t make you immune to privacy threats. The NBA and its players’ union are in conflict over how much data can be collected and shared using wearables like fitness trackers. The player’s union is seeking control over what data is collected and how it gets used. Exactly the same legal issues and ethical considerations that are being raised as more and more employers deploy wearables to their employees.
- Your car is watching. Computer systems in many newer cars create records of pretty much everything you do on the road, from logging telephone calls to recording how fast you drive. The challenge for consumers is figuring out what’s being collected, and where it goes afterward. The legal situation in the U.S. is murky, with no one law covering data collection by automobiles.
- Be careful what you say in front of Barbie. A study from University of Washington researchers demonstrates how the Internet of Toys is raising new privacy questions. In interviews with parents and children about the use of Internet-connected toys, the researchers found that children were unaware that their toys were recording their voices, and that parents worried about privacy pretty much any time the toys were out of the toy boxes.
- A lighthearted Facebook meme may unintentionally telegraph answers to your banking security questions. The post, called “10 Concerts I’ve Been To, One is a Lie,” asks users to share information about concerts they’ve attended. The problem is that “Name the first concert you attended” is a common security question used by banks and other financial institutions for online authentication. Phishing aside, the meme can also “telegraph information about a user’s age, musical tastes and even religious affiliation — all of which would be desirable to marketers hoping to target ads.”
- Usage-based insurance (UBI) is the term for insurance products that are priced according to specific usage factors. UBI auto insurance, for example, is priced on factors like how often a driver uses their car, how fast they take corners, and their average speed. University researchers were able to demonstrate that it’s possible to reveal personal data by pointing an AI algorithm at usage-based insurance data stored in the cloud. One researcher commented, ‘An attacker only needs one part of the information provided to a UBI company to discover a driver’s whereabouts, home, work, or who they met with.’
- An audit by the Internet security nonprofit Online Trust Alliance found that 6 of the 13 “Free File Alliance” tax websites approved by the IRS provide inadequate security and privacy protection. The report states, “Criminals are increasingly penetrating IRS systems, targeting e-file service providers and harming consumers through bank account take-overs, identity theft, ransomware and compromising completed returns to redirect tax refunds.” As if April 15 wasn’t stressful enough.
- The Lumen Privacy Monitor will tell you which apps are collecting your data. 7 in 10 smartphone apps share your data with third-party services. To help users become aware of which apps are collecting data from them, researchers developed an app that lets users “see their information collected in real time and the identity of the entities receiving the information.”
- Get your Facebook data back. Do you ever wonder how Facebook gains so much insight about its users? The free browser extension Data Selfie sheds light on Facebook’s machine learning algorithms and “tracks all the digital breadcrumbs you would leave behind when using Facebook (hint: it’s a lot of breadcrumbs) and creates your personality profile.”
- It’s possible to hack a phone through sound waves. Accelerometers measure rest and acceleration in smart devices and are commonly found in smartphones, fitness trackers, and automobiles. Although helpful for navigation and orientation, there’s been a recent discovery that accelerometers are susceptible to vulnerabilities. “Researchers describe how they added fake steps to a Fitbit fitness monitor and played a ‘malicious’ music file from the speaker of a smartphone to control the phone’s accelerometer. That allowed them to interfere with software that relies on the smartphone, like an app used to pilot a radio-controlled toy car.”
- ESPN collected first-party data on about 106 million of its users. ESPN collects information such as a person’s favorite teams, leagues, and players, as well as displays strategic advertisements based on these preferences. If a Warriors fan visits the website after a win, advertisements for special merchandise will appear when that person checks the website. For the ESPN visitors that do not volunteer their preferences, the network can figure out sport preferences by tracking their behavior online.
- Smart TVs are known to track personal data, and Vizio got caught. Earlier this year, Vizio paid $2.2 million to settle charges for monitoring viewing habits of more than 11 million TVs without consent. “The main problem was that Vizio TVs had tracking features turned on by default, instead of an opt-in setting like many other manufacturers use…but the situation is now a relatively good one for Vizio TV owners: the company is specifically prohibited from tracking your viewing habits without explicit permission.”
- Google can track when someone clicks an ad and buys something from a physical store. If you see an online advertisement for a product, then go to a store and buy it with a credit card, Google can track your behavior and report the data to marketers so that they can see how effective their advertisements are. “How does Google know if you bought something at Subway or Aldo? It works with the credit and debit card companies to match up in-store purchases with your online identity. The company has partnerships with companies that account for 70% of credit and debit card purchases in the U.S.”
- There are “microdots” on printed documents that encode the serial number for the original printer. Research that printers might be spying on us has been around for a while. A recently leaked document has brought it to the forefront of the news again. After a quick analysis of documents related to a National Security Agency leak case, experts “seemed to reveal the exact date and time that the pages in question were printed: 06:20 on 9 May, 2017 – at least, this is likely to be the time on the printer’s internal clock at that moment. The dots also encode a serial number for the printer.”
- Not all virtual private networks (VPNs) are created equal. VPNs create an encrypted connection between your browser and another private server, and protect users from things like malware. But it can be hard to tell how secure every VPN is and what it’s doing with your data. To optimize security on your VPN, “avoid free services, and…look into setting up your own. Otherwise, make sure a paid VPN has a privacy policy you’re okay with…And on a larger scale, remember that the best solution is still policies that would tackle the problem at the source: ISPs’ ability to sell your data.”
- Twitter’s new privacy policy with invasive defaults doesn’t “sound good.” Twitter has updated its privacy policy in order to provide users with a more personalized experience, which includes very specific tailored ads. Twitter “will now record and store non-EU users’ off-Twitter web browsing history for up to 30 days, up from 10 days in the previous policy.” This policy is on an opt-out basis. You can “click ‘Review settings’ to opt out of Twitter’s new mechanisms for user tracking.” Wondering why EU users are exempt from this privacy policy? Read on.
- Amazon Echo Look is collecting a full picture of you and your home. The cloud-connected camera wants to give consumers feedback on their outfits by using advice from fashion experts and machine learning algorithms. “The lookbook is a digital collection of ‘what you wore and when.’” But what’s important here is that “you’re potentially giving the tech giant a lot more data than just the type of chinos you sport. The pictures can reveal socioeconomic status, whether you’re married, religious affiliation (hello cross above your bed), and potentially a lot more.”
- Evernote attempted to update its privacy policies to make it clear that its employees could read your notes, without the option to opt out. But users protested and the company reversed the changes: ‘We announced a change to our privacy policy that made it seem like we didn’t care about the privacy of our customers or their notes. This was not our intent, and our customers let us know that we messed up, in no uncertain terms. We heard them, and we’re taking immediate action to fix it.’
- A Canadian consumer data privacy advocacy group found that many popular fitness tracking devices transmit your data in ways that make the devices vulnerable to interception or tampering. And the devices can potentially be used to track your movements and profile you: “We discovered severe security vulnerabilities, incredibly sensitive geolocation transmissions that serve no apparent benefit to the end user, and that were not available to users for access and correction, and unclear policies leaving the door open for the sale of users’ fitness data to third parties without express consent of the users.”
- A study published in the Journal of American Medicine looked at a large collection of diabetes apps on Android and concluded: “Most of the 211 apps (81%) did not have privacy policies. Of the 41 apps (19%) with privacy policies, not all of the provisions actually protected privacy (e.g., 80.5% collected user data and 48.8% shared data). Only 4 policies said they would ask users for permission to share data… Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that generally is not the case.”
- If you’re worried about protecting your activity on Facebook, it’s worth recalling that the social network makes it easy for its advertisers and partners to track you freely: “Most people forget that when they download an app or sign into a website with Facebook, they are giving those companies a look into their Facebook profile. Your profile can often include your email address and phone number as well as your work history and current location.”
- Meitu, a popular photo-editing app that requires a long list of permissions, has other potential security vulnerabilities: “[Security experts] found numerous serious privacy flaws and avenues for potential leaks of personal data. One eagle-eyed researcher found the Android version of the app asked users for dozens of intrusive permissions, and sends the data to multiple servers in China—including a user’s calendar, contacts, SMS messages, external storage, and IMEI number.”
- WhatsApp was in the news after a disputed report about a security vulnerability; what emerged from the discussion was awareness that the app’s privacy policies are not clearly defined: “One of the biggest concerns around WhatsApp from a privacy perspective is its opacity, as frequently noted in the Electronic Frontier Foundation’s assessments of which tech providers ‘have your back.’ Whilst [WhatsApp] owner Facebook does have a transparency report, released twice a year, it doesn’t drill down into how many data requests relate to WhatsApp, let alone what kinds of information it can hand over.”
- Your ambient conversations aren’t believed to be recorded, but Alexa and Google Home listen to everything you say in order to activate each system. You can restore privacy by using the physical mute button on each device. “If you only use Chrome in ‘Incognito Mode,’ put tape over your laptop camera, and worry about snoops sniffing your packets, a web-connected microphone in your home seems risky.”
- Uber is collecting location information for up to 5 minutes after rides end. Unless you opt out, Uber collects a rider’s location even after closing the app. The company stated that its intention is to improve pickups and drop-offs and measure safety issues like how often riders cross the street after their ride. The company recently announced that it intends to quit user tracking.
- Some types of wearable devices record the movements of users’ hands. These devices can be hacked in real time to reveal ATM PIN numbers and other key-based security codes. Researchers stated that “Adversaries can obtain sensor readings of wearables via sniffing Bluetooth communications or installing malwares on the devices, and further infer the user’s PIN sequence.”
- The conversations kids have with these cute toys through an app are being sent to a third-party server in the U.S. without asking for permission first. The app uses a popular voice recognition technology; the problem is that parents aren’t clearly notified that kids’ voices are recorded and sent to a third-party that states in its Terms of Service the data can be used for advertising or further shared with other third-parties.
- Android apps that are downloaded outside of Google Play are not always secure. Hackers create lookalike apps that, when downloaded, can take over a device, spread ransomware, and steal data. One malware campaign known as “Gooligan” infected more than 1.3 million Google accounts globally, primarily in Asia. You can check to see whether your account was compromised by visiting this site.
- Headphones can be hacked into and used as listening devices. Researchers in Israel have “created a piece of code designed to prove it’s possible to hijack a user’s headphones and turn them into a covert listening device…[The malicious code] captures vibrations in the air and converts them to electromagnetic signals able to capture audio.”
- Even when Shazam is turned off on a Mac, the microphone remains active. The stated purpose was to create a better user experience, but it leaves the app vulnerable to hacking. After users complained, the company stated that it intended to reverse the decision and issue a patch for Mac users.
- Ultrasonic cross-device tracking uses high frequency audio signals—that you can’t hear—to track your online and offline behavior and assemble a profile of what ads you’ve encountered, what websites you’ve visited, and where you’ve been. Most users are unaware that when they grant an apps permission to access their smartphone’s mics, “apps that use ultrasonic tracking could access their microphone…all the time, even while they’re running in the background.”
- Individuals can install software that informs them when someone opens their emails without you being notified. The software has legitimate uses, like ensuring important emails reach their intended recipients. But by operating in secret, the technology is ripe for abuse. Like one case of a fan stalking the rapper Jay-Z.
- Phone metadata created by calls and texts can reveal private information about you, like the status of your health. Stanford researchers built a smartphone app that collected phone call and text message metadata like the frequency, time of day, and duration of communications. They were then able to determine very specific information about individuals from that metadata, like that one study participant had a heart condition and another owned a particular model of assault rifle.
- If you download popular free apps on your Android or iPhone, it’s respectively 73% and 47% likely that your personal information has been shared with third parties. “The average Android app sent sensitive data to 3.1 third-party domains, and the average iOS app connected to 2.6 third-party domains.” Many of these connections are disclosed to the user, while many were not.
- Your browser settings and battery levels are “fingerprinting” that is personally identifiable and trackable across devices. User tracking has evolved to be far more sophisticated than cookies, those small files that contain information about you. Advanced tracking systems can infer from usage patterns that, for example, a smartphone and a laptop are used by the same individual.
- Frequent Locations on your iPhone records your every move unless you turn it off. “Apple says that the data is stored only on your device and nowhere else unless you opt into to share it with the company to improve the Maps feature. In that case, the company says it stores user private data anonymously.”
- Hackers can follow you in real-time while you’re using a traffic app. In a published paper, researchers at UC Santa Barbara studied how Sybil attacks—a type of security threat when a node in a network claims multiple identities—could cause mayhem. They concluded, “Our experiments show that a single Sybil device with limited resources can cause havoc on Waze, reporting false congestion and accidents and automatically rerouting user traffic.”
- In another case of spying toys, major toy companies breached the U.S. Children’s Online Privacy Protection Act and collected data about children for third parties. “The companies used technology that allowed third-party vendors to collect and use personal information from children under the age of 13 without parental approval.”
Security guides for protecting your digital identity
In our article, “Now is not the time to take a nap in your security blanket,” we shared resources that describe steps you can take to increase your digital security profile—everything from setting up VPNs to one simple action the FBI recommends for preventing unauthorized use of your laptop camera.
- This guide to setting up a Virtual Private Network “in 10 minutes for free” describes the steps you can take to install the secure Opera browser, evaluate VPN providers and products, and start using the Electronic Frontier Foundation’s HTTPS Everywhere browser plug-in.
- The consumer privacy nonprofit Fight for the Future created an interactive guide to protecting smartphones, laptops, and desktops. This resource is designed to be accessible to computer users of any knowledge level.
- Following the revelations about C.I.A. hacking, the New York Times produced a guide to protecting iPhone and Android smartphones as well as smart TVs, routers, and personal computers.
- Consumer Reports magazine produced a guide with 66 actionable tips for protecting your privacy, covering steps to prevent personal data collection, select better passwords, and even protect your data after death. They published a 10-minute digital privacy tune-up as well.
- Quick tip from the FBI: cover your laptop’s webcam camera.
- Famed hacker Kevin Mitnick shared his tips on how to secure your smartphone and laptop.
- Here is a roundup of 10 low-tech ways to guard your online privacy, covering tips like plugging your headphone jack to thwart hackers from hijacking your smartphone’s mic.
- Understand more about what encrypting your Internet activity from your ISP does and doesn’t do.
The digital world is complex and constantly evolving. Spend some time determining your comfort level with automated data collection, then evaluate the apps and services you use against your personal standards. There are millions of apps available on the major mobile platforms, so be sure to look for high-quality apps that don’t depend on advertising data collection. Stay informed, stay (digitally) safe.