For many of us, using digital services is similar to invoking magic: We perform the rituals, tap on the right keys, and usually the outcome we wanted happens. If it doesn’t then the vast majority of us fall back on other rituals – turning it off and on again, appeasing the Wi-Fi gods, and so forth.
When it comes to security and making services work, consumers are, to a great degree, at the mercy of the companies involved and the systems that regulate them. We do this in other areas of our lives, of course – few of us could drive a train, but we could all ride on one. However, there is little else many of us do more of than engaging with digital services, and none of them are as intensely monitored.
As a result, we rely on others to be sure that personally sensitive data is secure. Indeed, in 2022 adults are more aware of this particular aspect than ever before. According to a recent study by Ping Identity:
- 75% of respondents said they would no longer engage with a brand online following a breach.
- 50% said they would not sign up for an online service that had recently been breached.
Online privacy regulation is responding to this growing awareness that action needs to be taken. Indeed, to quote a study by Datamation on privacy trends, “Data privacy regulations have cropped up in India, China and Brazil, with even more on the way. According to Gartner, 65% of the world’s population will have their personal data covered under a regional or global privacy regulation by 2023.”
The challenge, of course, is that regulation itself isn’t enough.
“In 2018, we made the first analysis of whether children-oriented applications were complying with the COPA rules, which is the key part of the ‘GDPR for minors’ in the US. And we found that 51% of the applications that were children-oriented on Google Play were violating the law,” said Narseo Vallina-Rodriguez, Research Associate Professor at IMDEA Networks.
Who Watches The Watchers?
Vallina-Rodriguez has been working for a few years on demystifying the online environment for end users and regulators alike.
“The point is basically trying to assess whether mobile applications are completely transparent about the data that they collect about users and whether they are compliant with regulatory requirements,” he explained.
“What we are trying to do is basically create technology to assess all those risks automatically, then compare whether what they are claiming to do is actually aligned with what they actually do in practice, because you can implement one thing but then you can say whatever you want on the privacy policy.”
While this feels as though it should have been monitored long ago, the fact is that privacy regulation is still a very recent phenomenon. Europe’s GDPR – itself an early leader in the field – didn’t come into force until May 2018, which is why Vallina-Rodriguez’ work started with COPA first.
“It was the strictest law that we could find with very clear rules – like you cannot collect geolocation from minors, no matter what. It also has several clear articles regarding what it considered as informed consent,” the researcher explained.
It is this specificity that enables a translation from rules, which can often be based on general ethical principles which may require a judge to test against, into something very specific and measurable for a piece of computer software to test.
“[In our case] We basically installed them [the apps] on our testbed. We launched and we monitored the applications for a minute without interacting with them; so if we saw any personal data being leaked, there’s no way that it has been obtained with consent because we hadn’t interacted with the application.”
The real shock, however, came with geolocation information.
“We saw that most of the privacy leaks were happening on how to obtain your location. What they were doing was, for instance, obtaining metadata from pictures that were on the SD card. Or they obtained the Wi-Fi access point information, because this is in a fixed location and there are databases that are mapping those Wi-Fi access points to their geolocation.
“That’s basically what’s called a side-channel, which is like a way of avoiding the permission system on Android to have access to data.”
While this was happening in applications for children, this side-channel data extraction turned out to be common across the board.
“We discovered that thousands of applications on Google Play were abusing other side-channels that were not really protected, basically to have access to personal data.”
As a result of publication of their findings in 2019, Vallina-Rodriguez is keen to stress that Google did fix a number of problems in Android 10. However, in a digital economy driven by data about users, the temptation to build insights into users is huge.
In a parallel with hackers finding ways to exploit poor coding, app developers are rewarded for finding ways to infer or discover user data while being compliant with the letter of a law. Even if they cannot directly use it, the data itself is an asset for the company and has the potential to be traded.
Not Only Mischief, But Also Mistakes
While there is no doubt that some data extraction is deliberate and skirting regulations, another parallel with the world of computer security is that other application developers simply don’t think about the vulnerabilities from the viewpoint of a hacker. A project short on time, or driven by people without the right skills or mindsets, can also be as leaky as something deliberate.
One striking example lies with Google’s exposure notification API for the COVID-19 pandemic. The API was designed to help agencies worldwide track the spread of COVID-19 using their own applications, while keeping user details completely anonymous. It brought Google a great deal of positive publicity.
“Then we found that Google was printing information that was in theory sensitive on the system logs,” said Vallina-Rodriguez.
The system logs are a device’s records, which users can share with the maker in order to help them identify bugs, flag up system crashes and so on. In this case the APIs were recording some surprising data onto the logs, “Like the MAC addresses of the Bluetooth devices that users were discovering, but also whether the user had tested positive or not.”
“So basically we discovered a major data breach of medical data and the story was… quite interesting,” Vallina-Rodriguez grinned ruefully. “We notified this issue to Google in February 2020”.
The flaw was fixed four months later.
Where Next?
Privacy laws are still very much a new thing for regulators, users, platforms and application developers to be addressing; in part because not all legislation is as easily testable as some of the COPA provisions, but also because it challenges the established economy of much of the internet.
With Meta, Twitter, Google and Amazon all hit by recent legal wrangles relating to their use of personal data, it is clear that there is an appetite not only to curb abuses through regulation but also monitor and enforce the rules.
Meanwhile, a recent international white paper by law firm Gibson Dunn points out that in 2021 China, the UAE, Brazil, Russia, and Switzerland, among others, passed new laws, amendments or implemented regulations paving the way for a new round of significant data privacy regimes.
“It is expected that international authorities will make full use of their new powers in order to apply and enforce their respective data protection legislation in the near future,” the white paper reads.
Moreover, the scope of such legislation might be expanding beyond the use of directly “personal” data such as a name, age or location in a reflection of the fact that much truly valuable information can be drawn from a person’s preferences, behaviour or search.
“Chinese authorities announced the Internet Information Service Algorithmic Recommendation Management Provisions, which will come into force on 1 March 2022,” the paper comments. “These regulations apply to technology such as personalised recommendations, search filters and any algorithms that provide content to users. These regulations cover various services, such as social media platforms and entertainment streaming. The regulations not only apply to the Personal Information Protection Law, but also the Cybersecurity Law, Data Security Law and the Internet Information Services Management Rules for the purpose of promoting national security and public interests.”
It may be surprising to see this legislation originating in China. However, the government is resistant to push back from Big Tech in ways that Western governments aren’t. In this arena we might find that China is a bellwether for legislation elsewhere, as societies around the world adjust to our relatively recent pervasive digital environment.