TEKDESK A Division of COIN: The Community Protecting Your Privacy Opportunity & Innovation Network www.tekdesk.org www.coin-ced.org Made possible by agrant from the Office of the Privacy Commissioner of Canada http://www.priv.gc.ca
A smartphone is a cell phones that can connect to the internet and run a number of programs called apps chosen by the user. Smartphones have reached about half of the Canadian market. Their market share is only expected to increase. Smartphones store a lot of personal information: your address book, email, Facebook and more. Lots of apps need or want personal information. This can threaten your privacy.
Smartphones have operating systems just like computers. In Canada, the most common are: iOS, used for Apple’s iPhones and iPads. Android, used for smartphones and tablets from many different companies. BlackBerry OS, used for RIM’s BlackBerry phones. Windows Phone, used for certain smartphones from various companies, particularly Nokia. Software developers create programs – apps – for each operating system. Manufacturers list them at online stores you can download them from. Some are free, some cost money. Apps include games, Facebook, Twitter, special messaging programs and even lightweight versions of office software.
Physical: If someone gets a hold of your phone, they might be able to access your personal information. The User: You might mistakenly share your information over the internet using your phone. Software: The app may be designed to share your personal information in some way you don’t want. In additionto these, you may face High Security Situations where you should turn off your phone and if possible, remove its battery.
Cyberbullying: If you are in danger of being bullied, your private information can be used to say hurtful things to you or an online audience. Cyberstalking: Your personal information could be used to track your movements and actions to harass you. Identity Theft: This is a form of fraud where someone pretends to be you for financial gain, such as using your credit card or getting loans in your name. Human Rights Violations: Your private information may be used to commit a human rights violation. Stress: Privacy loss is a stressful event, no matter what happens. Do not underestimate the effects of stress.
The formula:Technology knowledge + common sense = security! You probably already have the common sense – it’s just the technology you’ll need help with. Let’s talkabout the ways we can protect against privacy threats that might come up through these three avenues. We’ll alsotalk about some general best practices to protect your privacy.
To use a smartphone responsibly, you need to strike a balance between your privacy needs and ease of use. The best way to keep an app or other feature from damaging your privacy is to not use it, deactivate it, or remove it. If you use your phone for work, ask if the workplace has any policies you should be aware of. Assess your privacy needs: Do you plan on using your smartphone for work or financial transactions? Do you regular look at sensitive information? Are you responsible for dependents? You need to safeguard their privacy as well as your own. Are you likely to face privacy-related threats such as harassment, stalking and identity theft? In this course we will highlight essential privacy safeguards with red text. Do more if you need to.
Physical security protects against the dangers of someone getting a hold of your phone. This couldbe someone stealing your phone or sneaking a peak while you’re asleep, distracted or elsewhere.
Jane leaves her purse at her table while she gets a refill for her coffee. A man on the way out grabs the phone right out of her purse. He uses her Facebook and email to trick Jane’s friends out of money by pretending to be her. Tony does not feel safe with his partner, but they still share the same apartment. He has been planning to leave. After his partner turns on Tony’s phone, he reads email Tony sent to friends about the situation.
There are three appropriate places for your phone:1. In a pocket of something you are wearing right now.2. Within arm’s reach.3. At a set location in your home or another secure area.
Your phone has a lock screen: a screen that comes up before you use the phone for anything. Your lock screen should always be password protected to prevent peeking. There are multiple types of “passwords” to choose from depending on the phone, like standard passwords, swipe passwords and face recognition. No matter what you pick, you will always be asked to have a standard password as well. Some phones offer a default 4 character password. Look for an option that lets you use a longer, secure password.
Your phone should never be sold, traded, or disposed of without wiping all of your information first. This is true even if you’re throwing the phone out, returning it you the carrier, or giving it to a family member or close friend. Remove the phone’s memory (SD) card. Do not just delete its contents, as these can be recovered. Check with your carrier about deactivating the phone’s SIM card. Every smartphone can be “factory reset:” returned to the condition it was in when originally purchased, with no personal information beyond a phone number. Do this (or have someone do it) to every phone you plan on getting rid of. Removing the phone’s SD card does not take the place of resetting the phone. You must remove the card and reset the phone.
Report a lost or stolen phone immediately! Your carrier may be able to remotely deactivate it. If yourphone is a popular brand (such as an iPhone) pick a case that changes its shape, and use headphones or ear buds of a different brand than your phone. If you feel confident doing so, take a look at software that may help you track a stolen phone, such as Prey: www.preyproject.com.
Knowledge is your best defence against privacy threats. Do you know what your phone does? Do you know the information your apps send? Does your carrier offer any services that could threaten your privacy? Even tech-savvy people run into problems.
Carrier Services: Does your carrier offer services that can be used to spy on you? Apps: Are you accidentally using app features that share private information? What You’re Saying: Are you texting or posting anything on social networks that could be dangerous to your privacy?
Bob posts publicly on Facebook that he just got home. He doesn’t know that his post includes his physical location, which he accidentally allowed it to add. Mary goes to a shelter. Her abusive partner finds her location via the Rogers Phone Finder service they were registered under. This pins her phone’s location on a map. He tracks her down. John mentions on Twitter that he’s going on vacation for a week. When he returns, he finds his apartment has been robbed. The thieves knew he was away.
Bell, Telus and Rogers all provide services that allow people to track the locations of their own phones, and sometimes others. Bell Seek and Find Rogers Phone Finder Telus Asset Tracker (Business) For the best security, make sure your phone cannot be tracked by these services. Contact your carrier and look up these services online. Other carrier services include the ability to look at texts and perform other functions on a distant phone from your computer. If you use these services, never share your password. For best protection, don’t use them!
Learn about the apps you use. Some of them have features that let you share private information – you might do this accidentally. Facebook is the app/service people accidentally share information with the most. For example, it allows you to add your location to almost everything you post, and nags you to do it. It also allows you to enter your phone number, which can be harvested by your friends’ address books. Look out for location/GPS features as well. They may add location listings to your posts, or add location based metadata (information that appears with a file) to pictures. People are especially prone to accidentally sharing private information with social media and messaging apps.
Even ifyou master your apps’ risky features, there’s always the danger of sharing information through your own words and pictures that could damage your privacy. Be especially careful about posting your location, family information and anything that could reveal financial information, such as the bank or credit card you use. Most people would never post their credit card or bank account numbers, but you should also think twice about posting the bank or credit card brand you use.
Apps on your smartphone require permission to use certain files and capabilities on your phone, such as your address book (or contacts) or your camera. Some apps ask for permissions that could threaten your privacy.
Carol downloads a messaging app. It automatically emails all of her address book contacts to let them know she’s using it, but her contacts include a former harasser who she had an email conversation with two years ago. Farooq uses a blogging app to write anonymous articles on politics. Advertisers use this information to tailor ads on websites. When he surfs the web to do research at work, his supervisors notice that the ads he encounters reflect his politics.
By default, apps can only run in their own little section of the phone’s system, called their sandbox. An app that can only use the sandbox would be pretty useless. A web browser app needs to use the internet, and an app that lets you add filters to your pictures may need your phone’s camera, photo gallery, or both. Letting an app do this gives it permissions, so that’s what these features are called. If an app needs permissions, you normally have to give them to use the app properly, or you are assumed to give them if you download it. Some apps ask for permissions they don’t really need to function so they can promote themselves, send data to advertisers or track user behaviour to improve themselves. A few apps are malware – they steal information or change how your phone works for malicious or criminal purposes.
They share information you don’t want to share. They perform an action that compromises your privacy. Some of them enable true malware designed for criminal activities, but most of these problems come from incompetent or greedy app development.
In 2012 The Office of the Privacy Commissioner of Canada funded a Tekdesk project to research the privacy effects of smartphone apps. Our initial research of the literature indicated the following: Many users don’t understand smartphone permissions, and don’t pay much attention to them. Free apps were much more likely to possess questionable permissions than paid apps. In many cases, the problem isn’t malware, but app developers getting sloppy. To make it easy on themselves, they ask for wide ranging permissions. App developers have also taken security shortcuts. For example, some apps uploaded contacts without encrypting them. This might allow a hacker to intercept that information. In some cases, the permissions you see don’t match what an app actually does. For example, in one court case, the plaintiff alleges that her Windows Phone device continued to transmit location- based information after she specifically disallowed that permission.
Phase 2 of our research looked at the permissions requested by the top 50 free and paid apps for the four major smartphone platforms, according to their app stores. We discovered the following: Android and Windows Phone apps from their official stores tell you permissions before you download. iOS and BlackBerry apps don’t. iOS only provided standardized permissions for push notifications and location-based services. As of December 2012 the BlackBerry OS lets you change virtually any permission. For others, you are mostly restricted to changing location- based services. Developers tend to ask for standardized sets of permissions, no matter the app. For example, every single BlackBerry OS smartphone app allows access to email, organizer data (calendars contacts), files, and security data by default. This may allow problem apps to conceal themselves as “wolves in sheep’s clothing.” Virtually every app requests local network and internet access, even when the app doesn’t have any obvious use for it.
Each mobile operating system has a different method of listing permissions, and different permissions categories. Android: Read permissions in the Google Play app store or website before you download. iOS: You need to download the app first. The app will ask for some permissions. Others require you to take a close look at what the app does. Go to Settings to see some apps’ permissions, such as permission to use push notifications. BlackBerry: You need to download the app first. Look at the app under Options>Device>Application Management in BlackBerry phones made before 2013. Windows Phone: The Windows Phone Apps+Games Store lists permissions for apps. Read them! In addition, after you download the app may ask permission for some functions, such as location-based services (GPS, Wi-Fi triangulation).
Every operating system describes privileges in a slightly different fashion, but they’re all talking about basically the same things. Some permissions are no big deal, but a few require your close attention because if they’re misused by the app, they can compromise your privacy. When you see a suspicious permission, ask yourself if the app really needs that to function. Remember that some apps are ad-supported, and have extra permissions for that reason.
Address book/contacts and calendar: Legitimately used for messaging, calendar and some social media. Otherwise, do not allow. Geolocation/location-based services: Legitimately used for navigation, mapping and some social media (Facebook, Foursquare). Some apps (such as weather) also give custom content based on location, but should not need to know your fine, GPS-based location – just your general area. Camera: Only apps that use your camera or affect photos need this permission. Otherwise, it can be used to take photos without your permission. Phone calls and texting (SMS/MMS): Legitimately used for some messaging apps. Otherwise, it can be used to run up charges on “premium” phone calls and texts.
The most common way to get apps is to download them from official app stores for each operating system/device. There are alternative app stores out there. For some phones (especially iPhones), you need to void your warranty by adding the ability to use them. For iPhones, this is called jailbreaking. Official app stores use some safeguards against malware and security risks, but apps often get past them. Alternative app stores do not have these guarantees. It’s also possible to install apps from your PC or through an SD storage card. This is called sideloading. Sideloaded apps may or may not be safe, depending on the app, but there are no guarantees. Alternative app stores and sideloading are not recommended for most users. Just because an app comes from an official app store doesn’t mean it’s automatically safe.
Some jobs and other circumstances create high security situations where you should take every precaution against privacy breaches and surveillance. Examples of high security situations include: Work that brings you into contact with people in crisis. Visiting a shelter for individuals coping with violence. Any time you believe there would be a serious threat to your privacy, and you are not sure how to protect it.
Zenia is staying at a shelter to escape a violent ex-partner. Her partner secretly installed tracking software on her phone. He activates it. The software doesn’t leave any sign that it’s active. He uses the phone’s location to track her down. Zenia turned off the phone’s GPS, but the software used Wi-Fi triangulation as well, and it’s good enough to find her rough location. Jeff works at a youth shelter. A shelter resident steals Jeff’s phone, and not only uses the phone to arrange a drug deal (which may get Jeff in trouble) but gets enough of Jeff’s personal information to harass him later.
Your phone must be completed powered down to be truly turned off. It is not off when the screen is dark and you’re not using it. It’s on standby. This is true even if you have set your phone to be silent or block calls and texts. Some apps and hacking techniques can be used to use your camera and microphone, or read information from your phone (including location) while your phone is on standby. Some phones cannot be completely powered down even when turned “off” according to the device’s settings. You must remove the battery.
Ask about cell phone policies for that site or job. If they recommend additional steps, use them. If they don’t, take the other steps anyway. Power down your phone. Hold down the power button and select the option that shuts down your phone. For extra protection, remove the battery if you can. If you can’t, consider leaving your phone in a secure location, away from the high security situation.
If you will regularly enter high security situations, consider getting a dedicated phone to use when they arise. Some jobs offer these phones to workers. For the best security, this phone should not be a smartphone. If it is, it should contain virtually no non-work information—don’t use it for Facebook, for example. The most secure option is a prepaid/pay as you go phone that is not registered under your name. Use this phone for communication in high security situations, such as talking to clients or calling in and out of facilities. Do not enter any private information in to this phone, and limit communication with private life connections to emergencies only. In situations like this, it is perfectly reasonable to carry two phones.
Threats to your privacy come from losing physical security (someone gets their hands on your phone), user actions (you do something to release private information) and software (the app does something to release private information). Some high security situations require additional precautions. Don’t let your smartphone out of your sight! Learn about your carrier, smartphone, and apps. Just because your friends and family aren’t concerned doesn’t mean you shouldn’t be. Everyone is different. Technology knowledge + common sense = security! Keep learning and thinking.
To protect your smartphone’s physical security: 1. Keep your phone by your side or in a secure location at all times. 2. Use a password-protected lock screen. 3. Wipe your phone with a factory reset and wipe/remove the SD card before you get rid of it.To prevent yourself from accidentally sharing information: 1. Study the apps you use for features that share too much, such as GPS location. 2. Don’t post sensitive information, especially about your location or finances. 3. Make sure you cannot be tracked through carrier services.To prevent apps from breaching your privacy: 1. Research apps online before you download them. 2. Look up their permissions to see if they want to do something they don’t need to do.In a high security scenario: 1. Completely shut down your phone. For extra protection, remove its battery. 2. Use the strongest combination of site security policies and what you learn here. 3. If you can’t remove the battery, consider leaving the phone in a secure place away from the high security location. 4. Keep an alternate phone, such as a prepaid phone that is not activated under your name.
For more information, contact Tekdesk: www.tekdesk.org firstname.lastname@example.org www.twitter.com/tekdesk Look for us on Facebook – search for Tekdesk Peterborough