Skip to main content

How can we ensure our tech isn’t spying on us?

(Image credit: Image source: Shutterstock/violetkaipa)

Have you ever noticed that web and mobile ads somehow seem to know what your interests are? Do you ever think about who all can access your emails that are stored on an email server? How about the gadgets in your home—do you ever wonder if they are spying on you?

You’re not alone.

Websites tracking users

Websites have many ways of tracking users. You’ve probably heard of cookies, but cookies are just the tip of the iceberg. Websites can also track users through many other mechanisms including unique identifiers in cached content, web storage, and more.

There are also sneakier means, such as browser fingerprinting, that don’t rely on a website storing data on your device. Techniques such as this often attempt to uniquely identify browsers rather than users. This might be all that’s required to track a user’s activities on a device.

Why do websites want to track your activities?

Generally, it is to show you ads for products or services that you might be interested in. Ad networks inject content into many of the sites you visit. They track the pages you’ve visited and then show you ads related to content you’ve looked at on those pages.

What if you don’t want sites to track your internet activity?

The only fool proof solution is to stop using the internet. But, let’s be realistic. A practical (albeit not 100 per cent effective) solution is to open a private browsing window (e.g., Incognito window in Chrome, Private window in Firefox, InPrivate window in Edge). Conduct any browsing that you don’t want tracked in such windows.

To further support the concept of private browsing, never sign into websites in a private window. Additionally, close these windows periodically to wipe away the data that can be used to track you from the websites you visited in private windows.

Note that websites may still be able to track you using your IP address. Your internet service provider (ISP) may also be able to track your internet activity. If you’re concerned about this, use a browser like Tor to browse the internet. However, I generally would not recommend this for users unless they understand the technology and its limitations.

Mobile apps tracking users

Many of the browser-based tracking techniques don’t work with mobile apps unless you’re using a web browser on your mobile device. For mobile apps installed on your device, the operating system typically generates a unique advertising identifier for your device and shares it with any installed apps that request it. Apps can send this identifier to ad networks to identify the most relevant ads to share with you.

If you want to avoid being tracked this way, change your device’s settings to generate a different identifier for each application. While each application will still be able to track your activities within the application, they won’t be able to collude to track your activities across applications.

Many people are also concerned about location tracking through mobile devices. If given permission to do so by end users, mobile applications can obtain the current location of the device on which they are installed. Devices obtain this information using a variety of methods including GPS, Wi-Fi geolocation, cellular geolocation, IP geolocation, and more.

The best way to prevent this is to not give applications access to your location information. All versions of iOS and Android 6.0+ allow you to deny installed applications access to location information. However, even if an application is not given permission to gather a device’s specific location, it can still identify the general location (i.e., what city the user is in) using the device’s IP address. Preventing this generally requires using a technology like Tor or a VPN connection.

Accessing your emails

Almost anything online can theoretically be accessed by others. Accounts can be compromised. Malicious employees may be able to read content stored on servers or back-up tapes. There’s always a chance that the device or servers that your content is stored on can be compromised. Any free applications or services that you use are likely extracting information from your data. They do this to provide the service to you for free.

Of course, paid services can also—and often do—analyse your content and extract useful information from it. Whether an actual person is reading your content depends on the companies that you’ve shared your data with and on their privacy policies.

Eavesdropping on conversations

Users often worry about whether devices in their homes with microphones are listening to them and uploading their conversations to the internet. Whether this is true depends on the devices in question.

Many consumer devices use on-device keyword spotting. They listen for a keyword (e.g., Alexa) or a key phrase (e.g., Hey Siri) on the device itself. Once they hear the keyword or key phrase, they will start recording and sending the recording to server-side components. They don’t normally record and upload all your conversations. But, things can and do go wrong from time to time.

There are also some devices that may always be recording and uploading your conversations by design. A few years ago, there were reports that some smart televisions may be doing just that.

Of course, if any device with a microphone is compromised, malicious software can turn on your microphone and continuously upload your conversations.

What do you do if you’re concerned about privacy?

Avoid using devices that have built-in microphones. Check your device settings to see what applications can access the microphone. Do some research before you purchase an internet-connected device in order to understand the information it collects.

Sharing your photos and videos

Users often worry that mobile applications might be able to record videos, take photos, or access your photo library without permission. Access to cameras and libraries on mobile devices is controlled using application permissions.

Once a user gives an application access to the device’s camera or photos, the application can use the device’s camera whenever it wants and do whatever it wants with the user’s photos. Depending on the mobile operating system, camera access may or may not be possible when the application is not in the foreground.

Legitimate applications request and use camera and photo access for various purposes, the most common being to share them with your friends or to back them up. Once they have access to your photos, applications can also algorithmically extract useful information from them for targeted advertising.

As with any permissions, be careful about which applications you allow to access your camera and photos. If your device is compromised, permissions are irrelevant and the application can obtain access to anything it wants on your device.

Protecting yourself

There are four pieces of advice that everyone reading this should walk away with.

First, do not allow permission to access your personal data unless you trust the application. Really think about the data you are sharing with an application and ask yourself, “does the application really need access to that data?”

Second, be very careful about the applications you install on your device. A compromised device cannot protect your privacy.

The third tip is to use private browser windows for “anonymous” browsing. Do not sign into any websites in the private windows and remember to close these windows periodically.

Lastly, if there is something that you would never want anybody else to be able to read, do not enter it into any application.

There is no such thing as 100 per cent privacy protection. To live in 2018, we must give up some of our privacy. But, not to worry. We simply need to take some precautions to ensure that our activities are as secure as humanly possible.

Amit Sethi, principal consultant, Synopsys
Image source: Shutterstock/violetkaipa

Amit Sethi is a principal consultant at Synopsys. He specialises in mobile security, online game security, and cryptography.