Sunday, April 24, 2011

The New Evil Empires

I've been an Apple technology fan for most of my adult life. My first computer was an Apple, I once took a summer job just because the office had a Mac in it, and I managed my university's multimedia lab, just so I can get the latest and greatest models and toys (oooh, a CD reader! Shiny!). The distinction is, I always liked the technology - not the company.

For a company that was started by 2 hackers in a garage, Apple did its best to distance itself from its origins. Everything is closed: their OS is not licensed, their devices can only be used in certain ways (the only reason I can't buy my parents an iPod is because I'll spend a lifetime to explain iTunes to them. Better to give them an off-the-shelf drag-music-into-it MP3 player), their SDKs carry an agreement license that requires an army of lawyers to decipher. Until this very day I hope I haven't signed away my first born to Steve Jobs when I joined the Apple Developers program. As for the real quality of their hardware - this deserves a separate post.

In short, Apple became Microsoft (or what Microsoft used to be). And last week, when the facts came out that Apple is collecting location data on everyone who uses an iDevice, Apple just became as evil as Google (remember the wifi tap fiasco?). I know, some people think this is not a big deal. Those people haven't yet used the free application that accesses that log file and draws all points on a map.

I was shocked to see every single place I visited and every trip I took mapped down with dates (can I at least use this for my expense reports in lieu of collecting a mountain of receipts?). I have nothing to hide, but still, why would anyone want to collect this data on me?

As in the Google case, Apple claimed it's a bug: they were supposed to keep just the last location (why?), and their algorithm just "forgot" to clean the history. And as in the Google case, I think the company means that the bug is the exposure and bad publicity they are receiving.

It has since came out that Google is also collecting location data on Android phones - and even transmits it back to HQ several times an hour. I wonder if there's a place for a class action, suing them for using my bandwidth without my permission. But this is just further proof that the equation Apple == Google holds.

At the time of this posting, there's still no way to stop the location tracking on either iDevice or Android phones. I assume it would come out with the next OS update (and let me hazard a guess: it will be buried deep in the settings screens, with the default turned to "on").

But Apple and Google are not alone. Even new start-ups play at being evil. Take for example one of my favorite products: Dropbox. I love this product and use it on a daily basis. One of the assurances they made, to entice people to trust them with their most secure data, was that the files are doubly encrypted: even Dropbox's developers cannot access their contents. Last week it came out that is not really the case. Not only are the files accessible, but have been shared with law enforcement agencies in the past. This means Dropbox's employees can access them - they are just told not to.

It is a known fact that a security chain is only as strong as it weakest link. If your company/bank/financial institute is maintaining unencrypted secure or personal data, all it takes for it to be abused is one disgruntled or underpaid employee. That's why we need double-blind encryption algorithms, access mechanisms and audit systems in place, and that's why banks vet their employees. With the new wave of start ups offering to maintain you most personal data, maybe we should demand encryption and employee vetting?

And finally, the last straw in this privacy and security infringement month: the Epsilon hack. It turns out many companies that I trust with my email (I'm talking to you Hilton and Best Buy) actually give it away to 3rd party companies to manage their marketing campaigns. And at the beginning of the month, that company was hacked big time (take a look at the list of companies affected). This prompted a torrent of emails from these companies warning their users not to trust any further emails from these companies, because they might be phishing scams (the irony is not lost).

The bottom line of this post is not "Trust no one" - that way leads to paranoia (although every fact I've seen so far suggests a bit of paranoia is justified when it comes to companies). No, I think what we should take away from all those stories is this:
comfort x security = k

In other words, to get more comfort (free services, immediate access) we have to give away some of our security and vice versa.

This still doesn't justify spying on your clients - that is pure evil.

Update 4/29/11:
A few days ago, people started talking about an outage on Sony's PlayStation Network. Sony at first claimed it was technical difficulties. As days passed, they were forced to admit their network was hacked. As I'm writing this update, the first credit card numbers of PSN users are being sold on hacker sites. Way to go with maintaining your network and encrypting your data, Sony. I sincerely hope some IT managers are performing Harikiri as I write this. Jerks.


avi said...

A good read. I had troubles finding the "share" button on this article, so I had to paste the URL.

Doug Laney said...

iPhone user agreement is online. Says in black and white up-front that they may collect location data "including the real time geographic location of your iPhone." http://ima­­com/legal/­sla/docs/i­phone.pdf. Further evidence of the literacy problem in America, and our propensity to be easily distracted by bright shiny objects.

Traveling Tech Guy said...

Avi, do you mean a Facebook button? Took those off - maybe I need to bring them back.

DBrian, I live in California, where the courts tend to frown on adding anything to contracts that may limit any of your existing rights. E.g.: my last employer had a clause in the severance contract saying I'm not allowed to discuss my severance details with ANYONE, adding "even if you live in California", completely treading on my 1st amendment rights - guess I'm in violation of that now. A contract like that would be kicked out of court here.

Sadly, the right to privacy is not promised or enforced anywhere. This allows Hilton to sell my address to "partners" and allows Apple to follow you around.

I wouldn't be surprised if somewhere in that contract they specify they have the right to listen to random conversations - maybe just to gauge the line quality. And then again, I wouldn't be surprised if Apple cultist would jump up and ask what's the problem with that? "If you have something to hide, don't say it on the phone". And if you don't want to be tracked, leave your smartphone at home. Come to think of it, leave it at the Apple store.