Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How are you doing today? I wanted to tackle the topic of smartphones and personal profile information. Now we talked about that a lot last year on the show, but it's come up again, um, with three articles in the last week that kind of went, hey, there's something else going on here or at least it's time to revisit and to bring people back up to speed again.
So those three articles pretty straightforward. The first one was, um, John Chen, the CEO of Blackberry talking about how, um he would instruct his engineering team to break the encryption on their products. If so, um, asked by law enforcement now on its surface, it's not that bad of a thing for a CEO to say, hey, if we get a legal request, we are going to follow through on this.
In fact, that's what we want every CEO around the planet to say because we want companies to follow the law. But the problem here is that by breaking a system, you are actually going to put absolutely everybody at risk and it's a mismatch in, um, risk management in threat analysis.
So when this has come up in the States, this has come up in Canada, this has come up in another uh number of areas especially Australia, which actually passed legislation that permits this, um which is that, you know, companies are saying, or uh companies are saying we're building strong secure products, law enforcement is saying we're going dark because they're encrypted and we can't see them.
Um But that's only one side of the story. The encryption actually protects us as users um through millions and millions of transactions and interactions every day. Law enforcement has a very small portion here. Now, I've covered this debate a number of times I'll put the link up here um for or here for some previous videos on this.
Um and uh some links in the description as well. I didn't want to dive into that. But what I did want to tackle was this is sort of one point that said like, hey, smartphones are producing some data, some of that data is encrypted and people are blind to see.
Now that's in stark contrast to another article um that I read from Joseph Crox at motherboard who had a follow up uh from a piece he did last year um on data brokers and selling locations from your smartphone. Now, at the time, the US carriers have said, whoa we're going to stop this practice, you know, it's being abused, they haven't stopped this practice.
Well, what is that practice you're asking? Um basically what they do is not only to law enforcement but to a number of partners, they sell real time location data. Now, in the case of Joseph's investigative article, it's a really great headline. He basically said I gave $300 to a bounty hunter to help them track down this phone.
And what that was was he, um, had literally paid, uh, somebody in the bail industry who used their company's position, um, to go to a third party data broker. So T Mobile had the original phone, it went to one data broker, it went to another data broker for the location information.
And that third data broker was selling into the um bail bonds industry at this point. Um But it was a highlight of the fact that there is a whole secondary and third uh tertiary market for a real time location and a whole bunch of other data about your cell phone.
So again, second thing that kind of popped up and then the last thing was an article from the verge that highlighted that the latest Samsungs have Facebook installed as bloatware that you can't remove it turns out you can actually remove it. It takes a command line through a debugger.
You don't have to root the phone, but the average user is never going to figure that out. For a developer, it's easy to do. But for the average user for all intents and purposes, you can't remove Facebook from your phone, you can disable it but you can't delete it.
Now, there's another, uh there's a number of other apps that fall under the same category. Um But again, it was that last sort of like, hey, there's uh companies are saying they're gonna break encryption or at least one company Blackberry said that they'll actively break encryption.
Apple said flat out. No, Google's never come out publicly one way or the other on Android. Um Then we see from uh Joseph Cox that there's this active market for um real time tracking data. Um And we know there's a whole bunch of other markets for data brokerage and profiling.
And then Facebook, which is the worst culprit of all of them is uh is not removable for all intents and purposes on the latest set of Samsungs, these three together really highlight the fact that our smartphones while wonderful are generating a ridiculous amount of valuable information about us.
We need to take control of that. We need some sort of uh awareness. Um It's not necessarily a bad thing personally, I think it is, but that I would leave up to each and every individual. What I really have a problem with is that people are making these agreements without understanding them.
And so it's a, it's an expected, it's an assumed trade off as opposed to an explicit one. I've been in security long enough to know that everybody has their own initial feelings. They have their own position, they have their own use case. Um It's not for me to decide what's right or wrong.
But what I do feel is fundamentally wrong is making those assumptions for other people. I like to see that explicit trade off when you're booting up your phone. And it says, hey, by the, if you give this location information, here's what you'll get, here's what you'll give up, um, that in an open and honest way.
Now there was another example that popped up um this week uh on home front in Canada um around Bell Media, which is one of our big I SPS. They're doing a new opt in targeted advertising profiling thing and the way they worded it, it is totally disingenuous.
I'll put out a post I think on that. Um Probably this week or next week. Um because again, it's an example of how no to actually ask for consent, um and inform and educate your users. So some thoughts around that today, I think that will bubble up to something else that might be actually the first episode of that new podcast I mentioned in the first vlog of this year.
Um So, uh that's a great large audience sort of, hey, did you know your phone is doing this? Did you know there's a market for it? Um might make a great story there. What do you think? Um Are you aware of all this uh data brokerage, the secondary and tertiary markets for real time.
Let me know, hit me up online at Mark NC A uh for those of you who have vlogged in the comments down below as always uh for podcast listeners and everybody else by email me at Mark N dot ca. I hope you're set up for a fantastic day.
Um Look forward to having this discussion with you about these issues and this is gonna keep going uh for the foreseeable future. Uh, but it's a great thing to be discussing out in the open. Um, have a good one. I will talk to you online and I'll see you at the next show.
