According to the 35c3 talk[0] by the authors, both SkyScanner and The Weather Channel updated their apps to stop the tracking after the authors told them it was happening.
When do we expect the first GDPR challenges to land on Facebook?
The law was clearly designed to deal with them. They continue to violate its principles. GDPR delivered tremendous collateral damage to raise these gates. But where is the pay-off? Is there preliminary footwork deploying? Or is Europe distracted by Italy et al?
Facebook tries to offload the responsibility to developers. This is shady at best and I hope the law catch up.
But there is also the problem of developers that just don't care. Or, developers that think they care but can't even be bothered to research what a library they include in an application actually does. This is is something that the death of facebook will not solve.
GDPR has already been paid off, every day for every user both in the online and offline world is a victory, and examples of it was shown in the talk as well. How GDPR pushed developers to discover this issue and demand solutions for their own apps. How facebook improved the ability for developers to be privacy conscious etc. (hardly by choice, but even they didn't think they could get away with less)
Apple needs to ban these SDKs from being included in apps. No one reads the privacy policies and they leak data to another party that the user doesn't have a relationship with.
Provide first party services, intermediate between apps and ad networks and/or white list a handful of companies to provide these services that are audited and have separate contractual relationships with Apple.
I think a good idea would be to stipulate to Facebook, Google, and every purveyor of "analytics" SDKs that they need to serve iOS app developers and their users from EU subsidiaries that are subject to GDPR.
Apple has a policy that apps (and their SDKs) must comply with IDFA, so if a user doesn't want to be tracked across the apps they use they can go to settings -> privacy -> advertising to turn off the tracking.
iOS doesn’t provide a system-wide unique ID however there is still more than enough data (WiFi network names, device name, device type, IP address, etc) that Shitbook can uniquely fingerprint a device and identify a user.
Simple question: We have firewall capability on every computer.
I am surprised that we don't have a FW on a phone - or an app that can be installed which I can force all traffic from the phone to pass through, with source-app and destination IP/App/Service - and choose to block the traffic we would like.
If you have a rooted Android phone, use AFWall. It's available on F-Droid and Google Play and uses the hosts file.
If not rooted then use NetGuard (as mentioned in another comment). It sets up a local VPN on your phone to filter traffic.
Other apps also use the local VPN approach for different reasons, e.g. DNS66 allows you to specify your own DNS servers. You'll only be able to use one VPN app at a time.
+1 for NetGuard. I just started using it recently on a new phone and it was the first thing I installed before connecting the device to any network. You would be amazed how many apps try to make a connection to graph.facebook.com
Check out Exodus Privacy[1] to see what trackers are inside a certain app.
One could use F-Droid and Yalp Store[2] to try and have a bit more privacy on an Android phone and make it work without a Google account.
Too bad it works by creating a local VPN - I'm already using "Block This!" to block ads on my device which also works via a VPN, so you can't use both at the same time.
So let's see here. There are apps that people download which, in a way, replicate themselves by enticing other people to download them often using some form of psychological engineering. These apps then compromise the person's data by streaming it to a server.
The word "app" is frequently used, but these sound more like computer viruses with a friendly UI, no?
The word "app" is frequently used, but these sound more like computer viruses with a friendly UI, no?
I think that's a pretty profound way to look at it, but under a broader rubric -- perhaps "User-friendly malware" would be a better euphemism. It's also an ideal way to describe things like Windows Update.
It's easy to imagine some of history's most notorious virus authors going straight, working for Facebook and Microsoft. More money, more respect, and the retirement plan beats going to prison.
The established name for this sort of "phishing" malware is "Trojan horse malware" https://en.wikipedia.org/wiki/Trojan_horse_(computing) - a malicious computer program which is designed to appear non-suspicious and mislead users wrt. its malicious activity. The irony is that the complex "app-specific privileges and permissions" system featured on mobile OSs was specifically intended to prevent mobile "apps" being used as dangerous trojan-horses, as was - to a lesser extent - the model of centralized "app store" repositories. It's not working very well.
In this case, we're specifically dealing with spyware - a common sort of malware where the malicious activity is invading the user's privacy.
> The word "app" is frequently used, but these sound more like computer viruses with a friendly UI, no?
Malware for sure. Like phishing: "fraudulent attempt to obtain sensitive information ..... by disguising as a trustworthy entity in an electronic communication."[0]
I find it insane how I can visit Agoda in a private tab. Search for hotels. Visit 2 of the hotels. Then switch to Facebook and almost immediately get adverts for exactly those 2 hotels...
