As regular readers may have inferred, your humble blogger hates the business philosophy of most technology companies. Planned obsolescence (for instance, peak word processing was WordPerfect circa 1994). Trying to drive your data into the cloud, where you don’t own it. And all the spying. It drives me crazy when users fail to understand that if a service appears to be free, you and your data are being sold. I don’t mind it much when it is explicit with advertising, but the harvesting of the customer is rarely transparent. I particularly take umbrage at the degree to which smartphones are spy machines and resisted getting one until it became necessary with my last move.1
Two tidbits, one an existing issue that just came to my attention regarding the existence and uses of sensors in smartphones, another the latest Google offense of making its passkeys a default (this on top of Google actively out to deny traffic to smaller independent news/analysis sites) confirm my prejudices.
Yours truly is particularly sensitive to being geolocated, not that I even go out much, much the less anywhere on the wild side. Yes, you can turn off GPS location in your device, but in the iPhone, it takes a bit of scrolling to get to it, which sure looks intended to impede disabling, and I don’t trust even then that it is fully off.2
By happenstance, your perhaps naive correspondent just learned of a raft of other ways my smartphone spies on me. It has a barometer and an accelerometer. Of course, it also has a gyroscope to change the screen image when you rotate the phone.
The barometer particularly frosted Lambert and me. As Lambert wrote:
Users should have the right to turn off any sensor, as in not just the software but the sensor proper. When they can’t that’s a ginormous red flag.
Not only is their existence not well advertised (and yes, both iPhones and Androids have them) but you also can’t turn them off. You can remove it in a iPhone, but you need to take the device apart, and I don’t have anyone I trust to do that.3
A proof of concept paper in 2017 found that a user’s location could be estimated from these sensors alone. If someone, say, had their phone mainly off but intermittently made calls and/or looked at data, it’s not hard to imagine that a few additional location scraps would firm the picture up. From Sophos in GPS is off so you can’t be tracked, right? Wrong:
… several researchers from the Electrical Engineering Department at Princeton University who created an app they call “PinMe” to show that, with just a couple thousand lines of added code (plenty of games and apps have hundreds of thousands of lines of code), smartphone users can be tracked just as precisely as their GPS, even when it’s turned off.
The researchers – Arsalan Mosenia, Xiaoliang Dai, Prateek Mittal and Niraj Jha – in a 15-page paper published on the IEEE (Institute of Electrical and Electronics Engineers) website (paywall), describe how their app collects data from sensors in the device that don’t require special permission to access.
As they put it, in tests using an iPhone 6, iPhone 6S and Galaxy S4 i9500:
We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment’s air pressure and device’s timezone, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user’s location when all location services, e.g., GPS are turned off.
….As they say, both iOS and Android are designed to run with third-party apps, of which there are hundreds of thousands on the market. And while smartphone operating systems are also designed to protect most personal information, “several types of non-sensory/sensory data, which are stored on the smartphone, are either loosely protected or not protected at all.”
Those include a gyroscope, accelerometer, barometer and magnetometer. According to the researchers, measurements from those sensors:
…are accessible by an application installed on the smartphone without requiring user’s approval. As a result, a malicious application that is installed on the smartphone and runs in the background can continuously capture such data without arousing suspicion.
Using what they describe as “presumably non-critical data” from those sensors, the app first determines what the user is doing – walking, driving a car, riding in a train or an airplane. As Christopher Loren put it, writing on Android Authority:
Moving at a slow pace in one direction indicates walking. Going a little bit quicker but turning at 90-degree angles means driving. Faster yet, we’re in train or airplane territory. Those are easy to figure out based on speed and air pressure.
A second team a year later showed how much sensor location it took to locate a user in selected cities. From CNBC:
You may think turning off your smartphone’s location will prevent this, but researchers from Northeastern University in Boston found that isn’t always the case.
“Not a lot of people are aware of this problem. Mainly because when we think about location, we associate it with the GPS on the phone,” said Sashank Narain a postdoctoral researcher at Northeastern.
In a test, Narain and his team were able to track people driving through Boston, Waltham, Massachusetts, and London. Traditional locators, like GPS were turned off — so the researchers used other sensors….
In order to track the test subjects, the researchers had them download what seemed to be a flash light app — but actually was gathering sensor data..
“In a place like Boston, which has a lot of unique turns and very curvy roads, you can get an accuracy of up to 50 percent of guessing the user’s location in the top five search results. In case of a place like Manhattan, which is mostly grid-like, it’s much more difficult,” Narain said.
The ability to track gets easier with more information.
“If you were to travel the same path every day, we have extremely high probability to guess where you live, where you work and what trajectories you took. Extremely high meaning that on repeated paths more than 90 percent,” Noubir said….
“We were not honestly expecting such high accuracies,” he said. “As the sophistication of these sensors on smartphones improve, as they become more and more accurate, this may become a primary means of invading users’ privacy.”
A new offense is Google doing its best to force its new passkey system on users by making it a default. The excuse is that it improves security…with biometrics to become a preferred log-in method. Admittedly this is not the only passkey validation option but all the writeups I have seen so far, presumably following Google messaging, list biometric ID options first. So what happens when someone gets that data? How do you get new fingerprints, say? And why should I trust any private company with that information? I know that horse left the barn and is in the next county as far as many consumers are concerned, but the casualness over handing over personal information in general, and biometrics in particular, is still disturbing.
From TechCrunch in Google makes passkeys the default sign-in method for all users:
Google has announced that passkeys, touted by the tech giant as the “beginning of the end” for passwords, are becoming the default sign-in method for all users.
Passkeys are a phishing-resistant alternative to passwords that allow users to sign into accounts using the same biometrics or PINs they use to unlock their devices, or with a physical security key. This removes the need for users to rely on the traditional username-password combination, which has long been susceptible to phishing, credential stuffing attacks, keylogger malware or simply being forgotten…
Passkeys, on the other hand, are made of two parts: one part is left on the app or website’s server, and the other is stored on your device, which allows you to prove that you are the legitimate owner of the account. This also makes it near-impossible for hackers to remotely access your account, given that physical access to a user’s device is needed, even in the event of a server breach.
And Google is up front about its aims:
On Tuesday, the company took a step closer toward killing off the password with the announcement that it’s making passkeys the default authentication method for all Google Account holders.
Yet another tax on my time in having to opt out, which you can be sure Google will not make easy.
1 I am a big fan of Justine Haupt’s 4G dumpphone project and if you can be a smartphone refusnik, it would give you a phone that should be viable for years, even a decade.
2 Not that the spook state is interested in me, but I would assume devices have backdoors and the GPS would be one of prime importance. A Faraday bag would solve the problem but I am not confident in those either. You can test their ability to bar phone signals, but how do you verify their GPS blocking, which uses different frequencies?
Readers may argue that cell phone triangulation can identify user location, but I’ve regarded that argument as intended to desensitize consumers to GPS tracking. GPS can locate you to +/- five meters. Even in a dense city, cell tower triangulation is more like +/- a city block, at the very best +/- 50 meters. However, your phone also provides information that can be used to locate you besides GPS and triangulation, such as Bluetooth and WiFi network interaction (needless to say, I keep Bluetooth off unless making specific use of it).
3 The barometer does have a vent on the left of the phone. If I were sure that the slot I see is indeed that, I wonder if a dab of school glue would render it useless.