It Will Not Stop Until YOU Make It Stop
The Market Ticker - Commentary on The Capital Markets
2017-06-25 07:00 by Karl Denninger
in Technology , 380 references Ignore this thread
It Will Not Stop Until YOU Make It Stop
[Comments enabled]  

What won't stop?

Out-of-scope data collection, correlation and sales.

In other words forced divulging of data from you, or about you, for other than the purpose you reasonably both expected and agreed to.

Let's take Android.  You turn on maps, which is a Google-provided program to get you from "X" to "Y".  That Google would use your location during that time to provide you not only that service but also possibly ads related to where you are is reasonably-foreseeable and something that makes sense you'd agree to in order to get the requested service.

But now let's look at the other side.  You have a weather application on your phone.  That application has ads.  The ads are context sensitive so (for example) knowing that you're near a sub shop it might show you an ad for that.  Fine, thus far.

But not so fine when Google pops up a prompt to review that sub shop should you set foot inside when you didn't use Maps, or any other Google software that could have reasonably known that.

Oh, and you can't turn that off either -- that is, you're forced to allow one company to have access in order for anyone else to.  Google ensures this by not allowing you to "gate" applications so they only have access an can run when in the foreground (e.g. visible on the screen) -- but they sure will gate their Youtube app so you can't listen to the audio associated with a video being played unless you are physically watching it (and thus can see their ads!)

Now that particular example (which is really common) is just annoying, never mind costing you money (since the traffic to do that on the network you pay for yet you get nothing in return.)

But what happens when that data, which Google and dozens of other firms now have, is sold to a data broker who in turn uses it to set a risk profile for your health insurance and thus what you pay for it?

What about when it goes into your car insurance or homeowner's insurance pricing?

Or, that you did not go past a Best Buy means that Amazon charges you a higher price for something that you could have bought at Best Buy -- and might have, had you gone by there.

Think all of this is theoretical?

It's not.

It's happening.  All of it.  Right now, in real time.

And utterly none of that is something you reasonably expected to happen when you "gave consent" nor would you likely give consent if you knew in advance.

I'll give you an example.  My Android phone is idle right now.  I deliberately closed all of the apps, and force-closed everything in the app drawer.  Of course some of them immediately started back up.  I also blocked a lot of Google's stuff.

Nonetheless, look at this which is a tiny snippet of what goes on all the damn time:

09:32:34.368602 IP D5.Denninger.Net.47430 > a104-92-14-243.deploy.static.akamaitechnologies.com.https: Flags [P.], seq 1:518, ack 1, win 343, options [nop,nop,TS val 175172 ecr 359567624], length 517
09:32:34.395562 IP a104-92-14-243.deploy.static.akamaitechnologies.com.https > D5.Denninger.Net.47430: Flags [S.], seq 3364819207, ack 4270951170, win 28960, options [mss 1460,sackOK,TS val 359567660 ecr 175168,nop,wscale 5], length 0
09:32:34.400981 IP a104-92-14-243.deploy.static.akamaitechnologies.com.https > D5.Denninger.Net.47430: Flags [.], ack 518, win 939, options [nop,nop,TS val 359567665 ecr 175172], length 0
09:32:34.401909 IP a104-92-14-243.deploy.static.akamaitechnologies.com.https > D5.Denninger.Net.47430: Flags [P.], seq 1:153, ack 518, win 939, options [nop,nop,TS val 359567666 ecr 175172], length 152
09:32:34.402726 IP D5.Denninger.Net.47430 > a104-92-14-243.deploy.static.akamaitechnologies.com.https: Flags [.], ack 1, win 343, options [nop,nop,TS val 175175 ecr 359567624], length 0
09:32:34.405302 IP D5.Denninger.Net.47430 > a104-92-14-243.deploy.static.akamaitechnologies.com.https: Flags [.], ack 153, win 343, options [nop,nop,TS val 175175 ecr 359567666], length 0
09:32:34.407235 IP D5.Denninger.Net.47430 > a104-92-14-243.deploy.static.akamaitechnologies.com.https: Flags [P.], seq 518:569, ack 153, win 343, options [nop,nop,TS val 175176 ecr 359567666], length 51

The traffic out of the WiFi interface (if it's on) is continuous and it's all encrypted.  I have no way to know what the **** is being sent or who the actual target is; being encrypted I can't see what is in the data payloads.  Akamai is a common "cloud" data aggregation and delivery system but the point remains -- what's being sent, to whom, and by what?  I have no way to know and no way, other than shutting off both cellular and WiFi, to stop it.

Then there's "markmonitor" -- which is the target of some of the traffic on le100.net.  When did I consent to my device sending something encrypted to them?  Their claimed "business model" is "brand protection."  What are they snooping for and in which app did that get into my device?  This one I have been able to track down -- Google's apps are sending to them.  Why is Google snooping around in my device and what are they sending to a "brand protection" company?

10:08:34.540999 IP6 2600:8807:8600:ea1:c978:9379:2f6c:c861.41337 > atl14s78-in-x0a.1e100.net.https: Flags [.], ack 1, win 395, options [nop,nop,TS val 345828 ecr 3390397241], length 0

There are dozens -- if not hundreds -- of others.  Some are from apps, but that belies the problem as well: Is not Google responsible for that which is in their app store?  Is not Apple responsible for that which is in theirs?  They create the "ecosystem", they profit from the "ecosystem" they should be responsible for what the apps in said ecosystem do.

Some of the traffic is identifiable as legitimate and expected.  Transmissions going to and from "googleusercontent", for example, or the IPSEC communications necessary for WiFi calling to work.  If I actually use an app then obviously it may have to go get something from the network and that's legitimate too.

But this traffic is all happening on a device that is sitting idle and yet it is continually collecting and exchanging data with a lot of "someones" unknown and unnamed, for unknown purposes.

What's worse is that all of these companies -- Facebook, Google, Apple, Snap, etc -- do this sort of thing and yet claim that they "deidentify" you.  This is nonsense; anyone with more than a few bits of these data pieces from multiple sources can with a very high degree of certainty attach your name to said "anonymous" advertising numbers, and poof -- you are known with certainty and forever, personally.

Oh, and incidentally it's just a matter of time before some nefarious jihadi type group buys up and correlates some of this data and then uses it to target people they want to kill by group.  It would be utterly trivial, for example, to identify active-duty military personnel in this fashion -- or cops, firefighters, etc.

How do we know they haven't already done this and are simply deciding when to use said data?

We don't, but it's incredibly naive to believe they haven't thought of it or won't do it.  They both have and will, and when it happens it will be our fault for allowing this crap to go on for as long as it has.  It will be our willful and intentional blindness to ridiculous exploitation and abuse served up on the American population daily that will be directly responsible for these deaths, and they will number in the thousands "all at once", making 9/11 look like a Girl Scout convention.

Let me point out once again that I did not consent to some unknown thing sending data on me all the time on a literal second-by-second basis -- and not just once, but dozens of times which nearly all appear to be wildly "out of scope" to what I did consent to.

Not only does all of this trash my battery and cost me money it also costs me anything that might be considered "privacy" too, and there is no way for me to know what that data is, who it's being sent to or why.

There are a number of relatively simple mandates that could take care of a big part of this problem.  Not all of it -- but a large part of it.  Specifically, the law could require that:

  • "Bundling" of application permissions is barred as a matter of law.  In other words it is explicitly prohibited for a manufacturer of an operating system, phone or other device to "whitelist" their apps and force you to take them and their demands to be able to see and transmit data as a group.  The impact of this today is that it is functionally impossible for me to have a weather application able to "see" the GPS or network location data (to know where I am) without Google's apps also being able to see the same thing.

  • Permissions must be able to be set separately for "with focus" and "in background", defined as when not in focus on a granular, per-application basis. Objecting to a mapping application being able to see your location while you're actively looking at it is stupid -- obviously, it can't work without that capability.  The same capability when the app is not visible is another matter, and what's worse is apps that stick pieces of themselves in the background and run without your knowledge, often at startup and on a permanent, persistent basis.  The current "model" of permissions where you can "deny" location, for example, to a mapping program is one that Google (and Apple) knows is worthless.  Denying location to a map application makes it worth nothing, of course, but denying it location when not in the foreground would make it impossible for it to grab your location when not being actively used and send it to "whoever."

  • Denying the ability of an application to run in the background must be one of the supplied permissions.  Maybe you wish to let Facebook run in the background, and perhaps you do not.  Some things (like a message app) might require that ability in order to be useful but a whole host of apps are perfectly useful without this ability and yet they frequently register and use background components.  All of the benefit of that is for the app developer (and whoever he sells data to) and none of that benefit is for you.  The inability to prevent this is outrageous.

  • Permissions must include access to the network.  If an app cannot obtain location information, cannot scan data on the device and cannot transmit or receive information when it is not in the foreground then a huge amount of the current data mining becomes instantly impossible.

  • Users must be able to change (1) the resolvers used for DNS lookups and (2) firewall and host mapping tables.  My device, my decision on what it can talk to and under what conditions.  Right now both Google and Apple deny access to these parts of the system although both are present.  Both Linux and the base IOS kernel have packet filtering available and both also trivially use a file called "resolv.conf" to determine where name resolution takes place.  These must be under user control so that I can, for example, block all traffic to and from one of those above-identified places should I choose to do so.  This is my piece of hardware, I own it and I have the right to control how it operates.  Period.

  • System services (e.g. Google's internal "play" services, etc) must not be able to circumvent these constraints.  Right now they both can and do.  The background "services" (those things that run "headless") must inherit the permission of the requesting application or program.  In other words Google's "Play Services" may not obtain your location unless the requesting caller has permission to obtain it in the current context (e.g. background or foreground) nor may it on its own collect and transmit said data independently.

  • App developers, including device vendors, must be compelled to disclose what they collect and why they collect it before you consent to loading such an application or, in the case of a pre-loaded app, before or at first use but before any collection and transmission occurs.  They must be barred under criminal and civil penalty, from sale of such data "out of scope" to anyone and any sort of "blanket permission" must be barred. In other words if you collect data "to provide better advertising" to me then you can't sell it to anyone who does not have as the sole and only purpose of its use providing said better advertising.  If you, for example, sell it to someone who is using as part of producing a "Credit risk score" you get shut down, your executives go to prison and you're financially ruined.  The use of such language as "or any other legitimate business purpose" must be explicitly unlawful.

  • This must be applied to all consumer devices, not just phones.  If your television is running an app platform (all the new ones are) this must be applied there too, with the same granularity.  Your "smart speaker"?  Same.  Refrigerator?  Same.  Washing machine?  Same.  Cellphones are just the most-obvious and pervasive example of this problem so far, but are far from the only one.  As another example I have already had to block a crazy number of IP addresses and ports from being able to be hit from a couple of webcams I have here.  They're nice and inexpensive but by default try to send a hell of a lot of data to god-knows-who for god-knows-why.  Good thing I control the device between them and the Internet and thus can interdict and stop all of that traffic, right?  You can't do it with a phone because (1) it has WiFi in it and while you control your home WiFi you don't control it anywhere else and (2) you don't control any of the cellular infrastructure.  Thus, the capacity for user control and interdiction for a cellphone must be at the device level (the above bullet point.)

  • These changes must be retroactive and a duty to destroy all existing data collected and stored without said consent must be imposed.  None of what has gone on so far has been legitimate or with consent.  The only difference between******and sex is consent folks.

If these changes are not made now then these firms -- including all the big ones -- need to be shut down and criminally prosecuted right here, right now.

All of them, without exception.

Why?  Because all of them are grabbing data from you with no real consent as to what they're taking and the "big data" paradigm today means that they are using it beyond the scope of anything you did -- or could have -- reasonably consented to and understood.

If we don't demand and enforce this we will wake up one morning to find that a large swath of people have been targeted using these "technologies" and killed, or worse it will be used to map critical infrastructure and movement of people related to same, resulting in the death of millions all at once.

You've been fairly warned.

View with responses (opens new window)
 
Main Navigation
MUST-READ Selection:
A One-Sentence Bill To Force The Health-Care Issue

Full-Text Search & Archives
Archive Access

Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.