Security Cloud Privacy Tech
Secret App Telemetry

Secret App Telemetry

14 minute read | Last updated 26-Feb-2019 | An icon depicting a retail tag with a heart for 'favourite' Privacy

Mornings With Mark no. 0165

Watch the episode on YouTube

Join the discussion on LinkedIn

Share on Twitter

Bad Robot Transcript

Morning, everybody. How you doing today on this episode of the show. We’re going to talk about just how much your computer is sending out information about you without you knowing there was a fantastic article in the Wall Street Journal published over the weekend that focused on 11 apps that were actually sending data to Facebook with other users being aware of it at least focused on mobile applications.

But this applies to pretty much anything that you’re using now in this particular case the Wall Street Journal called out a number of Health application. So workout trackers ovulation and menstruation trackers real estate apps on a glucose tracker. They had a pretty much a decent mix but a lot of them had some really important information and really personal information that was being sent out to a service that Facebook runs called app events and this is not the only service of this type but we’re going to run down a few of these in this video so that you understand.

What’s going on? But like I said this Wall Street Journal article called out these mobile applications, but I run what’s called a reverse firewall on my laptop that’s running Mac OS I’m running a little snitch fantastic little application and They seized all the things that you’re allowed top is requesting option to block them or allow them.

So I’ve seen a huge amount of desktop applications that are also sending information out to services like the one that Facebook is running and I want to talk to you about that issue in this video. So first of all, let me tell you he intended use of a lot of these things because you’re going to see a few different Services named Facebook app events Google analytics Microsoft hockeyapp.net Apple testflight.

The idea is to allow developers together more information about the use of their applications in the case of test flight from Apple and hockey net or hockey app. From Microsoft the idea is to gather analytics around stability around performance in early stages of application so that you can have a better development life cycle and with apple.

Testflight is a very explicit experience. Hey, you’re trying a beta. Please give us feedback. This is heavily monitored and there’s a lot more Telemetry coming from the app than normal in Microsoft’s example. It’s not so distinct. I am because it’s run for a lot of production the applications as well.

But we see Google analytics being used on a desktop applications as well. I know you may be thinking wait a minute isn’t Google analytics for webpage tracking. Yes, it was originally but they fully support being installed in a mobile application or desktop application to send custom events back so that use a developer can track your users buy more track your application Usage Now Facebook app events is has the Badge of Shame has the distinction.

I don’t know how you want to freeze it as being targeted about collecting those events explicitly for better advertising tuning to track advertising metrics. And that’s according to the Facebook documentation. But all of these apps in their Collective category are getting detailed events from applications that are running either on your tablet your phone or your desktop and sending them back out to a third-party.

I’m somewhere on the net so that they can have a fine grain tracking what’s going on. Now what’s really important? And what’s really sore shocking to a lot of users comes to that desktop level. So I mentioned earlier I run a reverse firewall now what most ad networks and what most operating systems like Windows and like Mac OS and Linux are set up to do is to block incoming Communications random services on the internet can’t just call in and start talking to your computer.

What they do allow is for your computer to call out and to receive a response. Show the way through that wall coming in is if I called you so that makes total sense. If you pull up a web browser and ping google.com, you’re allowed to see the response from that.

So any application that calls out normally is greenlit, its wide-open a reverse firewall stops that actually pops up a promises. Hey, do you want to allow this type of communication out from this particular application now I use this to narrow down the network traffic that’s running on my system.

So I know if anything out of the ordinary is running that I have a good awareness of that. It helps me just be generally where which helps in my line of work, but also just paranoid tinfoil hat now. There’s a lot of services, you know, where you see things like Adobe Creative Cloud calls out to an insane amount of internet addresses Microsoft Office keeps adding new domains that it’s talking to but every once in a while you’re running a normal app or a completely localized app that you don’t expect is calling out and you see it calling to these third-party services like hockeyapp.net like Google Analytics.

And in those cases it is tracking your usage in some way shape or form that you don’t know the specific details because most the time that data is encrypted. This is happening on mobile without that low visibility as well. The whole point of the Washington or the Wall Street Journal article was hey, this is not cool.

You shouldn’t be doing this and 100% agree. There is a balance to be struck between developers having better information because it’s very costly to manage software that’s deployed somewhere. This is why the industry for big Enterprise apps in the majority of apps is gone to a service model because if you are running it in your services, I’m in your cloud and you manage all of the back-end infrastructure.

It’s really easy to fix things and to add new Services add new features to your product. If it’s deployed on somebody’s system your back into the cycle that we had for decades where you need to push them to do an upgrade if they have a problem. You’re pretty much blind to it.

You’re relying on them to describe it. So getting some Lemon tree totally totally makes sense. The problem is transparency. That’s really at the heart of this article was that there’s no transparency saying that your information in these cases were being sent to Facebook and in the case of these very personal health trackers fitness trackers, even the shopping for Real Estate that has critical impacts to your privacy and to your digital well-being in the case of some of your desktop applications.

That might not have such a big impact but it is still important to be upfront and transparent with your users. Now, I have yet to find a really good example of developer saying hey I use this service to track what’s going on so that we can get better performance better usage metrics to make a better product for you.

And here’s exactly what we are tracking at each step of the way making out front making that clear that the user that’s happening and to give the user the ability to opt-out is critical because this started happening about five six seven years ago where it’s standard practice for you.

Applications to call back home and transfer some amount of information that may or may not be sensitive and you have no idea. I’m sure it’s buried somewhere in the user agreement or in the terms of service or in the privacy policy. But as we’ve covered many many times, nobody reads them in even if you tried you probably couldn’t understand itself be aware.

You can use it to like a reverse firewall on your desktop Sony laptops to stop that from happening on mobile. You don’t have as many options as it is an issue. We need to be aware of it’s an issue developers need to be clear about MN. We need to strike a balance somewhere.

What do you think? What’s your experience with this issue? Let me know at Mark and see a in the comments down below and is always by email me at Mark and. CA. Hope you’re set up for a fantastic day and we’ll see you on the next year. Morning, everybody.

How you doing today on this episode of the show. We’re going to talk about just how much your computer is sending out information about you without you knowing there was a fantastic article in the Wall Street Journal published over the weekend that focused on 11 apps that were actually sending data to Facebook with other users being aware of it at least focused on mobile applications.

But this applies to pretty much anything that you’re using now in this particular case the Wall Street Journal called out a number of Health application. So workout trackers ovulation and menstruation trackers real estate apps on a glucose tracker. They had a pretty much a decent mix but a lot of them had some really important information and really personal information that was being sent out to a service that Facebook runs called app events and this is not the only service of this type but we’re going to run down a few of these in this video so that you understand.

What’s going on? But like I said this Wall Street Journal article called out these mobile applications, but I run what’s called a reverse firewall on my laptop that’s running Mac OS I’m running a little snitch fantastic little application and They seized all the things that you’re allowed top is requesting option to block them or allow them.

So I’ve seen a huge amount of desktop applications that are also sending information out to services like the one that Facebook is running and I want to talk to you about that issue in this video. So first of all, let me tell you he intended use of a lot of these things because you’re going to see a few different Services named Facebook app events Google analytics Microsoft hockeyapp.net Apple testflight.

The idea is to allow developers together more information about the use of their applications in the case of test flight from Apple and hockey net or hockey app. From Microsoft the idea is to gather analytics around stability around performance in early stages of application so that you can have a better development life cycle and with apple.

Testflight is a very explicit experience. Hey, you’re trying a beta. Please give us feedback. This is heavily monitored and there’s a lot more Telemetry coming from the app than normal in Microsoft’s example. It’s not so distinct. I am because it’s run for a lot of production the applications as well.

But we see Google analytics being used on a desktop applications as well. I know you may be thinking wait a minute isn’t Google analytics for webpage tracking. Yes, it was originally but they fully support being installed in a mobile application or desktop application to send custom events back so that use a developer can track your users buy more track your application Usage Now Facebook app events is has the Badge of Shame has the distinction.

I don’t know how you want to freeze it as being targeted about collecting those events explicitly for better advertising tuning to track advertising metrics. And that’s according to the Facebook documentation. But all of these apps in their Collective category are getting detailed events from applications that are running either on your tablet your phone or your desktop and sending them back out to a third-party.

I’m somewhere on the net so that they can have a fine grain tracking what’s going on. Now what’s really important? And what’s really sore shocking to a lot of users comes to that desktop level. So I mentioned earlier I run a reverse firewall now what most ad networks and what most operating systems like Windows and like Mac OS and Linux are set up to do is to block incoming Communications random services on the internet can’t just call in and start talking to your computer.

What they do allow is for your computer to call out and to receive a response. Show the way through that wall coming in is if I called you so that makes total sense. If you pull up a web browser and ping google.com, you’re allowed to see the response from that.

So any application that calls out normally is greenlit, its wide-open a reverse firewall stops that actually pops up a promises. Hey, do you want to allow this type of communication out from this particular application now I use this to narrow down the network traffic that’s running on my system.

So I know if anything out of the ordinary is running that I have a good awareness of that. It helps me just be generally where which helps in my line of work, but also just paranoid tinfoil hat now. There’s a lot of services, you know, where you see things like Adobe Creative Cloud calls out to an insane amount of internet addresses Microsoft Office keeps adding new domains that it’s talking to but every once in a while you’re running a normal app or a completely localized app that you don’t expect is calling out and you see it calling to these third-party services like hockeyapp.net like Google Analytics.

And in those cases it is tracking your usage in some way shape or form that you don’t know the specific details because most the time that data is encrypted. This is happening on mobile without that low visibility as well. The whole point of the Washington or the Wall Street Journal article was hey, this is not cool.

You shouldn’t be doing this and 100% agree. There is a balance to be struck between developers having better information because it’s very costly to manage software that’s deployed somewhere. This is why the industry for big Enterprise apps in the majority of apps is gone to a service model because if you are running it in your services, I’m in your cloud and you manage all of the back-end infrastructure.

It’s really easy to fix things and to add new Services add new features to your product. If it’s deployed on somebody’s system your back into the cycle that we had for decades where you need to push them to do an upgrade if they have a problem. You’re pretty much blind to it.

You’re relying on them to describe it. So getting some Lemon tree totally totally makes sense. The problem is transparency. That’s really at the heart of this article was that there’s no transparency saying that your information in these cases were being sent to Facebook and in the case of these very personal health trackers fitness trackers, even the shopping for Real Estate that has critical impacts to your privacy and to your digital well-being in the case of some of your desktop applications.

That might not have such a big impact but it is still important to be upfront and transparent with your users. Now, I have yet to find a really good example of developer saying hey I use this service to track what’s going on so that we can get better performance better usage metrics to make a better product for you.

And here’s exactly what we are tracking at each step of the way making out front making that clear that the user that’s happening and to give the user the ability to opt-out is critical because this started happening about five six seven years ago where it’s standard practice for you.

Applications to call back home and transfer some amount of information that may or may not be sensitive and you have no idea. I’m sure it’s buried somewhere in the user agreement or in the terms of service or in the privacy policy. But as we’ve covered many many times, nobody reads them in even if you tried you probably couldn’t understand itself be aware.

You can use it to like a reverse firewall on your desktop Sony laptops to stop that from happening on mobile. You don’t have as many options as it is an issue. We need to be aware of it’s an issue developers need to be clear about MN. We need to strike a balance somewhere.

What do you think? What’s your experience with this issue? Let me know at Mark and see a in the comments down below and is always by email me at Mark and. CA. Hope you’re set up for a fantastic day and we’ll see you on the next year.

More Content

Prev: Your Child's Digital Identity

Next: Warrant Canaries

Back to top

Related Content