Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; that is the basic injustice. The developers often exercise that power to the detriment of the users they ought to serve.
This document attempts to track clearly established cases of proprietary software that spies on or tracks users.
Table of Contents
- Spyware in Operating Systems
- Spyware on Mobiles
- Spyware at Low Level
- Spyware at Work
- Spyware on the Road
- Spyware at Home
- Spyware at Play
- Spyware on the Web
- Spyware Everywhere
- Spyware In VR
For decades, the Free Software movement has been denouncing the abusive surveillance machine of proprietary software companies such as Microsoft and Apple. In the recent years, this tendency to watch people has spread across industries, not only in the software business, but also in the hardware. Moreover, it also spread dramatically away from the keyboard, in the mobile computing industry, in the office, at home, in transportation systems, and in the classroom.
Aggregate Information Collection
- They could change the policy at any time.
- They can twist the words by distributing an “aggregate” of “anonymized” data which can be reidentified and attributed to individuals.
- The raw data they don't normally distribute can be taken by data breaches.
- The raw data they don't normally distribute can be taken by subpoena.
Therefore, we must never pay any attention to what companies say they will do with the data they collect. The wrong is that they collect it at all.
Latest additions are found on top under each category.
Spyware in Operating Systems(#OSSpyware)
Spyware in Windows(#SpywareInWindows)
Windows DRM files can be used to identify people browsing through Tor. The vulnerability exists only if you use Windows.
By default, Windows 10 sends debugging information to Microsoft, including core dumps. Microsoft now distributes them to another company.
Some portable phones are sold with spyware sending lots of data to China.
- In order to increase Windows 10's install base, Microsoft blatantly disregards user choice and privacy.
Windows 10 comes with 13 screens of snooping options, all enabled by default, and turning them off would be daunting to most users.
- It appears Windows 10 sends data to Microsoft about what applications are running.
A downgrade to Windows 10 deleted surveillance-detection applications. Then another downgrade inserted a general spying program. Users noticed this and complained, so Microsoft renamed it to give users the impression it was gone.
To use proprietary software is to invite such treatment.
Windows 10 ships with default settings that show no regard for the privacy of its users, giving Microsoft the “right” to snoop on the users' files, text input, voice input, location info, contacts, calendar records and web browsing history, as well as automatically connecting the machines to open hotspots and showing targeted ads.
Windows 10 sends identifiable information to Microsoft, even if a user turns off its Bing search and Cortana features, and activates the privacy-protection settings.
Thus, Windows is overt malware in regard to surveillance, as in other issues.
The unique “advertising ID” for each user enables other companies to track the browsing of each specific user.
It's as if Microsoft has deliberately chosen to make Windows 10 maximally evil on every dimension; to make a grab for total power over anyone that doesn't drop Windows now.
It only gets worse with time. Windows 10 requires users to give permission for total snooping, including their files, their commands, their text input, and their voice input.
And there's a secret NSA key in Windows, whose functions we don't know.
Microsoft's snooping on users did not start with Windows 10. There's a lot more Microsoft malware.
Spyware in MacOS(#SpywareInMacOS)
Apple has made various MacOS programs send files to Apple servers without asking permission. This exposes the files to Big Brother and perhaps to other snoops.
It also demonstrates how you can't trust proprietary software, because even if today's version doesn't have a malicious functionality, tomorrow's version might add it. The developer won't remove the malfeature unless many users push back hard, and the users can't remove it themselves.
Various operations in the latest MacOS send reports to Apple servers.
Spotlight search sends users' search terms to Apple.
Spyware in Android(#SpywareInAndroid)
Pairs of Android apps can collude to transmit users' personal data to servers. A study found tens of thousands of pairs that collude.
Google Play intentionally sends app developers the personal details of users that install the app.
Merely asking the “consent” of users is not enough to legitimize actions like this. At this point, most users have stopped reading the “Terms and Conditions” that spell out what they are “consenting” to. Google should clearly and honestly identify the information it collects on users, instead of hiding it in an obscurely worded EULA.
However, to truly protect people's privacy, we must prevent Google and other companies from getting this personal information in the first place!
Google Play (a component of Android) tracks the users' movements without their permission.
Even if you disable Google Maps and location tracking, you must disable Google Play itself to completely stop the tracking. This is yet another example of nonfree software pretending to obey the user, when it's actually doing something else. Such a thing would be almost unthinkable with free software.
More than 73% of the most popular Android apps share personal, behavioral and location information of their users with third parties.
“Cryptic communication,” unrelated to the app's functionality, was found in the 500 most popular gratis Android apps.
The article should not have described these apps as “free”—they are not free software. The clear way to say “zero price” is “gratis.”
The article takes for granted that the usual analytics tools are legitimate, but is that valid? Software developers have no right to analyze what users are doing or how. “Analytics” tools that snoop are just as wrong as any other snooping.
Spyware is present in some Android devices when they are sold. Some Motorola phones modify Android to send personal data to Motorola.
Some manufacturers add a hidden general surveillance package such as Carrier IQ.
Samsung's back door provides access to any file on the system.
Spyware on Mobiles(#SpywareOnMobiles)
Spyware in iThings(#SpywareIniThings)
Apple proposes a fingerprint-scanning touch screen — which would mean no way to use it without having your fingerprints taken. Users would have no way to tell whether the phone is snooping on them.
iPhones send lots of personal data to Apple's servers. Big Brother can get them from there.
The iMessage app on iThings tells a server every phone number that the user types into it; the server records these numbers for at least 30 days.
Users cannot make an Apple ID (necessary to install even gratis apps) without giving a valid email address and receiving the code Apple sends to it.
Around 47% of the most popular iOS apps share personal, behavioral and location information of their users with third parties.
iThings automatically upload to Apple's servers all the photos and videos they make.
iCloud Photo Library stores every photo and video you take, and keeps them up to date on all your devices. Any edits you make are automatically updated everywhere. [...]
There is a way to deactivate iCloud, but it's active by default so it still counts as a surveillance functionality.
Spyware in iThings: the iBeacon lets stores determine exactly where the iThing is, and get other info too.
There is also a feature for web sites to track users, which is enabled by default. (That article talks about iOS 6, but it is still true in iOS 7.)
The iThing also tells Apple its geolocation by default, though that can be turned off.
Apple can, and regularly does, remotely extract some data from iPhones for the state.
Spyware in Telephones(#SpywareInTelephones)
According to Edward Snowden, agencies can take over smartphones by sending hidden text messages which enable them to turn the phones on and off, listen to the microphone, retrieve geo-location data from the GPS, take photographs, read text messages, read call, location and web browsing history, and read the contact list. This malware is designed to disguise itself from investigation.
Samsung phones come with apps that users can't delete, and they send so much data that their transmission is a substantial expense for users. Said transmission, not wanted or requested by the user, clearly must constitute spying of some kind.
A Motorola phone listens for voice all the time.
Spyware in Android phones (and Windows? laptops): The Wall Street Journal (in an article blocked from us by a paywall) reports that the FBI can remotely activate the GPS and microphone in Android phones and laptops. (I suspect this means Windows laptops.) Here is more info.
Portable phones with GPS will send their GPS location on remote command and users cannot stop them: http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers. (The US says it will eventually require all new portable phones to have GPS.)
The nonfree Snapchat app's principal purpose is to restrict the use of data on the user's computer, but it does surveillance too: it tries to get the user's list of other people's phone numbers.
Spyware in Mobile Applications(#SpywareInMobileApps)
Verizon announced an opt-in proprietary search app that it will pre-install on some of its phones. The app will give Verizon the same information about the users' searches that Google normally gets when they use its search engine.
Currently, the app is being pre-installed on only one phone, and the user must explicitly opt-in before the app takes effect. However, the app remains spyware—an “optional” piece of spyware is still spyware.
The Meitu photo-editing app sends user data to a Chinese company.
A pregnancy test controller application not only can spy on many sorts of data in the phone, and in server accounts, it can alter them too.
The Uber app tracks clients' movements before and after the ride.
This example illustrates how “getting the user's consent” for surveillance is inadequate as a protection against massive surveillance.
Google's new voice messaging app logs all conversations.
Apps that include Symphony surveillance software snoop on what radio and TV programs are playing nearby. Also on what users post on various sites such as Facebook, Google+ and Twitter.
Facebook's new Magic Photo app scans your mobile phone's photo collections for known faces, and suggests you to share the picture you take according to who is in the frame.
This spyware feature seems to require online access to some known-faces database, which means the pictures are likely to be sent across the wire to Facebook's servers and face-recognition algorithms.
If so, none of Facebook users' pictures are private anymore, even if the user didn't “upload” them to the service.
Like most “music screaming” disservices, Spotify is based on proprietary malware (DRM and snooping). In August 2015 it demanded users submit to increased snooping, and some are starting to realize that it is nasty.
This article shows the twisted ways that they present snooping as a way to “serve” users better—never mind whether they want that. This is a typical example of the attitude of the proprietary software industry towards those they have subjugated.
Out, out, damned Spotify!
Many proprietary apps for mobile devices report which other apps the user has installed. Twitter is doing this in a way that at least is visible and optional. Not as bad as what the others do.
FTC says most mobile apps for children don't respect privacy: http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/.
Widely used proprietary QR-code scanner apps snoop on the user. This is in addition to the snooping done by the phone company, and perhaps by the OS in the phone.
Don't be distracted by the question of whether the app developers get users to say “I agree”. That is no excuse for malware.
The Brightest Flashlight app sends user data, including geolocation, for use by companies.
The FTC criticized this app because it asked the user to approve sending personal data to the app developer but did not ask about sending it to other companies. This shows the weakness of the reject-it-if-you-dislike-snooping “solution” to surveillance: why should a flashlight app send any information to anyone? A free software flashlight app would not.
Spyware in Games(#SpywareInGames)
nVidia's proprietary GeForce Experience makes users identify themselves and then sends personal data about them to nVidia servers.
Angry Birds spies for companies, and the NSA takes advantage to spy through it too. Here's information on more spyware apps.
Spyware in Toys(#SpywareInToys)
The “smart” toys My Friend Cayla and i-Que transmit children's conversations to Nuance Communications, a speech recognition company based in the U.S.
Those toys also contain major security vulnerabilities; crackers can remotely control the toys with a mobile phone. This would enable crackers to listen in on a child's speech, and even speak into the toys themselves.
A computerized vibrator was snooping on its users through the proprietary control app.
The app was reporting the temperature of the vibrator minute by minute (thus, indirectly, whether it was surrounded by a person's body), as well as the vibration frequency.
Note the totally inadequate proposed response: a labeling standard with which manufacturers would make statements about their products, rather than free software which users could have checked and changed.
The company that made the vibrator was sued for collecting lots of personal information about how people used it.
The company's statement that it was anonymizing the data may be true, but it doesn't really matter. If it had sold the data to a data broker, the data broker would have been able to figure out who the user was.
Following this lawsuit, the company has been ordered to pay a total of C$4m to its customers.
That the manufacturer and the FBI could listen to these conversations was unacceptable by itself.
Spyware at Low Level(#SpywareAtLowLevel)
Spyware in BIOS(#SpywareInBIOS)
Lenovo stealthily installed crapware and spyware via BIOS on Windows installs. Note that the specific sabotage method Lenovo used did not affect GNU/Linux; also, a “clean” Windows install is not really clean since Microsoft puts in its own malware.
Spyware at Work(#SpywareAtWork)
Investigation Shows GCHQ Using US Companies, NSA To Route Around Domestic Surveillance Restrictions.
Specifically, it can collect the emails of members of Parliament this way, because they pass it through Microsoft.
Spyware in Cisco TNP IP phones: http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html
Spyware in Skype(#SpywareInSkype)
Spyware in Skype: http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/. Microsoft changed Skype specifically for spying.
Spyware on The Road(#SpywareOnTheRoad)
Spyware in Cameras(#SpywareInCameras)
The Nest Cam “smart” camera is always watching, even when the “owner” switches it “off.”
A “smart” device means the manufacturer is using it to outsmart you.
Spyware in e-Readers(#SpywareInElectronicReaders)
Spyware in many e-readers—not only the Kindle: they report even which page the user reads at what time.
Adobe made “Digital Editions,” the e-reader used by most US libraries, send lots of data to Adobe. Adobe's “excuse”: it's needed to check DRM!
Spyware in Vehicles(#SpywareInVehicles)
Computerized cars with nonfree software are snooping devices.
The Nissan Leaf has a built-in cell phone modem which allows effectively anyone to access its computers remotely and make changes in various settings.
That's easy to do because the system has no authentication when accessed through the modem. However, even if it asked for authentication, you couldn't be confident that Nissan has no access. The software in the car is proprietary, which means it demands blind faith from its users.
Even if no one connects to the car remotely, the cell phone modem enables the phone company to track the car's movements all the time; it is possible to physically remove the cell phone modem though.
Proprietary software in cars records information about drivers' movements, which is made available to car manufacturers, insurance companies, and others.
The case of toll-collection systems, mentioned in this article, is not really a matter of proprietary surveillance. These systems are an intolerable invasion of privacy, and should be replaced with anonymous payment systems, but the invasion isn't done by malware. The other cases mentioned are done by proprietary malware in the car.
Tesla cars allow the company to extract data remotely and determine the car's location at any time. (See Section 2, paragraphs b and c.). The company says it doesn't store this information, but if the state orders it to get the data and hand it over, the state can store it.
Spyware at Home(#SpywareAtHome)
Nest thermometers send a lot of data about the user.
Spyware in TV Sets(#SpywareInTVSets)
Emo Phillips made a joke: The other day a woman came up to me and said, “Didn't I see you on television?” I said, “I don't know. You can't see out the other way.” Evidently that was before Amazon “smart” TVs.
Vizio “smart” TVs report everything that is viewed on them, and not just broadcasts and cable. Even if the image is coming from the user's own computer, the TV reports what it is. The existence of a way to disable the surveillance, even if it were not hidden as it was in these TVs, does not legitimize the surveillance.
More or less all “smart” TVs spy on their users.
The report was as of 2014, but we don't expect this has got better.
This shows that laws requiring products to get users' formal consent before collecting personal data are totally inadequate. And what happens if a user declines consent? Probably the TV will say, “Without your consent to tracking, the TV will not work.”
Proper laws would say that TVs are not allowed to report what the user watches — no exceptions!
Vizio goes a step further than other TV manufacturers in spying on their users: their “smart” TVs analyze your viewing habits in detail and link them your IP address so that advertisers can track you across devices.
It is possible to turn this off, but having it enabled by default is an injustice already.
Tivo's alliance with Viacom adds 2.3 million households to the 600 millions social media profiles the company already monitors. Tivo customers are unaware they're being watched by advertisers. By combining TV viewing information with online social media participation, Tivo can now correlate TV advertisement with online purchases, exposing all users to new combined surveillance by default.
Some web and TV advertisements play inaudible sounds to be picked up by proprietary malware running on other devices in range so as to determine that they are nearby. Once your Internet devices are paired with your TV, advertisers can correlate ads with Web activity, and other cross-device tracking.
Vizio “smart” TVs recognize and track what people are watching, even if it isn't a TV channel.
The Amazon “Smart” TV is watching and listening all the time.
The Samsung “Smart” TV transmits users' voice on the internet to another company, Nuance. Nuance can save it and would then have to give it to the US or some other government.
Speech recognition is not to be trusted unless it is done by free software in your own computer.
Spyware in LG “smart” TVs reports what the user watches, and the switch to turn this off has no effect. (The fact that the transmission reports a 404 error really means nothing; the server could save that data anyway.)
Even worse, it snoops on other devices on the user's local network.
LG later said it had installed a patch to stop this, but any product could spy this way.
Meanwhile, LG TVs do lots of spying anyway.
Spyware at Play(#SpywareAtPlay)
Users are suing Bose for distributing a spyware app for its headphones. Specifically, the app would record the names of the audio files users listen to along with the headphone's unique serial number.
The suit accuses that this was done without the users' consent. If the fine print of the app said that users gave consent for this, would that make it acceptable? No way! It should be flat out illegal to design the app to snoop at all.
Many video game consoles snoop on their users and report to the internet— even what their users weigh.
A game console is a computer, and you can't trust a computer with a nonfree operating system.
Modern gratis game cr…apps collect a wide range of data about their users and their users' friends and associates.
Even nastier, they do it through ad networks that merge the data collected by various cr…apps and sites made by different companies.
They use this data to manipulate people to buy things, and hunt for “whales” who can be led to spend a lot of money. They also use a back door to manipulate the game play for specific players.
While the article describes gratis games, games that cost money can use the same tactics.
Spyware on the Web(#SpywareOnTheWeb)
In addition, many web sites spy on their visitors. Web sites are not programs, so it makes no sense to call them “free” or “proprietary”, but the surveillance is an abuse all the same.
When a page uses Disqus for comments, the proprietary Disqus software loads a Facebook software package into the browser of every anonymous visitor to the page, and makes the page's URL available to Facebook.
Online sales, with tracking and surveillance of customers, enables businesses to show different people different prices. Most of the tracking is done by recording interactions with servers, but proprietary software contributes.
Pages that contain “Like” buttons enable Facebook to track visitors to those pages—even users that don't have Facebook accounts.
Many web sites rat their visitors to advertising networks that track users. Of the top 1000 web sites, 84% (as of 5/17/2012) fed their visitors third-party cookies, allowing other sites to track them.
Many web sites report all their visitors to Google by using the Google Analytics service, which tells Google the IP address and the page that was visited.
Many web sites try to collect users' address books (the user's list of other people's phone numbers or email addresses). This violates the privacy of those other people.
Spyware in Chrome(#SpywareInChrome)
Google Chrome contains a key logger that sends Google every URL typed in, one key at a time.
Google Chrome includes a module that activates microphones and transmits audio to its servers.
Google Chrome makes it easy for an extension to do total snooping on the user's browsing, and many of them do so.
Spyware in Flash(#SpywareInFlash)
Flash Player's cookie feature helps web sites track visitors.
Flash is also used for “fingerprinting” devices to identify users.
The natural extension of monitoring people through “their” phones is proprietary software to make sure they can't “fool” the monitoring.
Spyware In VR(#SpywareInVR)
VR equipment, measuring every slight motion, creates the potential for the most intimate surveillance ever. All it takes to make this potential real is software as malicious as many other programs listed in this page.
You can bet Facebook will implement the maximum possible surveillance on Oculus Rift devices. The moral is, never trust a VR system with nonfree software in it.