<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.84 -->
<title>Proprietary Surveillance - GNU Project - Free Software Foundation</title>
<style type="text/css" media="print,screen"><!--
.announcement { 
   background: none;
#surveillance div.toc {
   width: 24.5em; max-width: 94%;
   margin-bottom: 1em;
@media (min-width: 48em) {
   #surveillance div.toc {
      float: left;
      width: auto; max-width: 48%;
      margin: .2em 0 1em;
   #surveillance .medium {
      width: 43%;
      margin: 7em 0 1em 1.5em;
<!-- GNUN: localize URL /graphics/dog.small.jpg -->
<!--#include virtual="/proprietary/po/proprietary-surveillance.translist" -->
<!--#include virtual="/server/banner.html" -->

<h2>Proprietary Surveillance</h2>

<p>Nonfree (proprietary) software is very often malware (designed to
mistreat the user). Nonfree software is controlled by its developers,
which puts them in a position of power over the users; <a
href="/philosophy/free-software-even-more-important.html">that is the
basic injustice</a>. The developers often exercise that power to the
detriment of the users they ought to serve.</p>

<div  class="announcement">
<p>This document attempts to
track <strong>clearly established cases of proprietary software that
spies on or tracks users</strong>.</p>

<p><a href="/proprietary/proprietary.html">
   Other examples of proprietary malware</a></p>

<p>If you know of an example that ought to be in this page but isn't
here, please write
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
to inform us. Please include the URL of a trustworthy reference or two
to present the specifics.</p>

<div id="surveillance">

<div class="pict medium">
<a href="/graphics/dog.html">
<img src="/graphics/dog.small.jpg" alt="Cartoon of a dog, wondering at the three ads that popped up on his computer screen..." /></a>
<p>“How did they find out I'm a dog?”</p>

<div class="toc">
  <h3 id="TableOfContents">Table of Contents</h3>
    <li><a href="#Introduction">Introduction</a></li>
    <li><a href="#OSSpyware">Spyware in Operating Systems</a>
        <li><a href="#SpywareInWindows">Spyware in Windows</a></li>
        <li><a href="#SpywareInMacOS">Spyware in MacOS</a></li>
        <li><a href="#SpywareInAndroid">Spyware in Android</a></li>
    <li><a href="#SpywareOnMobiles">Spyware on Mobiles</a>
        <li><a href="#SpywareIniThings">Spyware in iThings</a></li>
        <li><a href="#SpywareInTelephones">Spyware in Telephones</a></li>
        <li><a href="#SpywareInMobileApps">Spyware in Mobile Applications</a></li>
        <li><a href="#SpywareInToys">Spyware in Toys</a></li>
    <li><a href="#SpywareOnSmartWatches">Spyware on Smart Watches</a></li>
    <li><a href="#SpywareAtLowLevel">Spyware at Low Level</a>
        <li><a href="#SpywareInBIOS">Spyware in BIOS</a></li>
    <li><a href="#SpywareAtWork">Spyware at Work</a>
        <li><a href="#SpywareInSkype">Spyware in Skype</a></li>
    <li><a href="#SpywareOnTheRoad">Spyware on the Road</a>
        <li><a href="#SpywareInCameras">Spyware in Cameras</a></li>
        <li><a href="#SpywareInElectronicReaders">Spyware in e-Readers</a></li>
        <li><a href="#SpywareInVehicles">Spyware in Vehicles</a></li>
    <li><a href="#SpywareAtHome">Spyware at Home</a>
        <li><a href="#SpywareInTVSets">Spyware in TV Sets</a></li>
    <li><a href="#SpywareInGames">Spyware in Games</a></li>
    <li><a href="#SpywareInRecreation">Spyware in Recreation</a></li>
    <li><a href="#SpywareOnTheWeb">Spyware on the Web</a>
        <li><a href="#SpywareInChrome">Spyware in Chrome</a></li>
        <li><a href="#SpywareInFlash">Spyware in JavaScript and Flash</a></li>
    <li><a href="#SpywareInDrones">Spyware in Drones</a></li> 
    <li><a href="#SpywareEverywhere">Spyware Everywhere</a></li> 
    <li><a href="#SpywareInVR">Spyware In VR</a></li>

<div style="clear: left;"></div>

<!-- #Introduction -->

<div class="big-section">
  <h3 id="Introduction">Introduction</h3>
<div style="clear: left;"></div>

<p>For decades, the Free Software movement has been denouncing the
abusive surveillance machine of
<a href="/proprietary/proprietary.html">proprietary software</a>
companies such as
<a href="/proprietary/malware-microsoft.html">Microsoft</a>
<a href="/proprietary/malware-apple.html">Apple</a>.

In the recent years, this tendency to watch people has spread across
industries, not only in the software business, but also in the
hardware.  Moreover, it also spread dramatically away from the
keyboard, in the mobile computing industry, in the office, at home, in
transportation systems, and in the classroom.</p>

<h3 id="AggregateInfoCollection">Aggregate or anonymized data</h3>

<p>Many companies, in their privacy policy, have a clause that claims
they share aggregate, non-personally identifiable information with
third parties/partners. Such claims are worthless, for several

    <li>They could change the policy at any time.</li>
    <li>They can twist the words by distributing an “aggregate” of
        “anonymized” data which can be reidentified and attributed to
    <li>The raw data they don't normally distribute can be taken by
        data breaches.</li>
    <li>The raw data they don't normally distribute can be taken by

<p>Therefore, we must not be distracted by companies' statements of
they will <em>do</em> with the data they collect. The wrong is that
they collect it at all.</p>

<h3 id="LatestAdditions">Latest additions</h3>

<p>Latest additions are found on top under each category.</p>

<!-- #OSSpyware -->
<!-- WEBMASTERS: make sure to place new items on top under each subsection -->

<div class="big-section">
  <h3 id="OSSpyware">Spyware in Operating Systems</h3>
  <span class="anchor-reference-id">(<a href="#OSSpyware">#OSSpyware</a>)</span>
<div style="clear: left;"></div>

<div class="big-subsection">
  <h4 id="SpywareInWindows">Spyware in Windows</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInWindows">#SpywareInWindows</a>)</span>

  <li><p>Windows 10 telemetry program sends information to Microsoft about the
      user's computer and their use of the computer.</p>

    <p>Furthermore, for users who installed the fourth stable build of
      Windows 10, called the “Creators Update,” Windows maximized the
      surveillance<a href="https://arstechnica.com/gadgets/2017/10/dutch-privacy-regulator-says-that-windows-10-breaks-the-law">
      by force setting the telemetry mode to “Full”</a>.</p>

<p>The <a
 “Full” telemetry mode</a> allows Microsoft Windows
 engineers to access, among other things, registry keys
 <a href="https://technet.microsoft.com/en-us/library/cc939702.aspx">which
 can contain sensitive information like administrator's login

  <li><p>Windows DRM
  files <a href="https://yro.slashdot.org/story/17/02/02/231229/windows-drm-protected-files-used-to-decloak-tor-browser-users">can
  be used to identify people browsing through Tor</a>. The
  vulnerability exists only if you use Windows.

  <li><p>By default, Windows 10 <a href="http://betanews.com/2016/11/24/microsoft-shares-windows-10-telemetry-data-with-third-parties">sends
      debugging information to Microsoft, including core dumps</a>. Microsoft now distributes them to another company.</p></li>

<li>In order to increase Windows 10's install base, Microsoft
blatantly disregards user choice and privacy</a>.

  <li><p><a href="https://duo.com/blog/bring-your-own-dilemma-oem-laptops-and-windows-10-security">
      Windows 10 comes with 13 screens of snooping options</a>, all enabled by default,
      and turning them off would be daunting to most users.</p></li>

  <li><p><a href="https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/">
      Microsoft has already backdoored its disk encryption</a>.</p></li>

  <li>It appears
      <a href="http://www.ghacks.net/2016/01/05/microsoft-may-be-collecting-more-data-than-initially-thought/">
      Windows 10 sends data to Microsoft about what applications are 
  <li><p>A downgrade to Windows 10 deleted surveillance-detection
      applications.  Then another downgrade inserted a general spying
      program.  Users noticed this and complained, so Microsoft
      renamed it
      <a href="https://web.archive.org/web/20160407082751/http://www.theregister.co.uk/2015/11/26/microsoft_renamed_data_slurper_reinserted_windows_10/">
	to give users the impression it was gone</a>.</p>
      <p>To use proprietary software is to invite such treatment.</p>
  Windows 10 <a href="https://web.archive.org/web/20151001035410/https://jonathan.porta.codes/2015/07/30/windows-10-seems-to-have-some-scary-privacy-defaults/">
  ships with default settings that show no regard for the
  privacy of its users</a>, giving Microsoft the “right”
  to snoop on the users' files, text input, voice input,
  location info, contacts, calendar records and web browsing
  history, as well as automatically connecting the machines to open
  hotspots and showing targeted ads.</p></li>

  <a href="http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/">
  Windows 10 sends identifiable information to Microsoft</a>, even if a user
  turns off its Bing search and Cortana features, and activates the
  privacy-protection settings.</p></li>

  Microsoft uses Windows 10's “privacy policy” to overtly impose a
  “right” to look at users' files at any time. Windows 10 full disk
  encryption <a href="https://edri.org/microsofts-new-small-print-how-your-personal-data-abused/">
  gives Microsoft a key</a>.</p>

  <p>Thus, Windows is overt malware in regard to surveillance,
  as in other issues.</p>

  <p>We can suppose Microsoft look at users' files for the US government on
  demand, though the “privacy policy” does not explicit say so. Will it
  look at users' files for the Chinese government on demand?</p>

  <p>The unique “advertising ID” for each user enables other companies to
  track the browsing of each specific user.</p>

  <p>It's as if Microsoft has deliberately chosen to make Windows 10
  maximally evil on every dimension; to make a grab for total power
  over anyone that doesn't drop Windows now.</p></li>

  <li><p>It only gets worse with time.
      <a href="http://www.techworm.net/2014/10/microsofts-windows-10-permission-watch-every-move.html">
      Windows 10 requires users to give permission for total snooping</a>,
      including their files, their commands, their text input, and their
      voice input.</p>

  <li><p><a href="http://www.infoworld.com/article/2611451/microsoft-windows/a-look-at-the-black-underbelly-of-windows-8-1--blue-.html">
      Windows 8.1 snoops on local searches.</a>.</p>

  <li><p>And there's a
      <a href="http://www.marketoracle.co.uk/Article40836.html">
      secret NSA key in Windows</a>, whose functions we don't know.</p>

  <li>HP's proprietary
  operating system <a href="http://www.bbc.com/news/technology-42309371">includes
  a proprietary keyboard driver with a key logger in it</a>.</li>

<p>Microsoft's snooping on users did not start with Windows 10.
   There's a lot more <a href="/proprietary/malware-microsoft.html">
   Microsoft malware</a>.</p>

<div class="big-subsection">
  <h4 id="SpywareInMacOS">Spyware in MacOS</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInMacOS">#SpywareInMacOS</a>)</span>

  <li><p><a href="http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/30/how-one-mans-private-files-ended-up-on-apples-icloud-without-his-consent/">
      MacOS automatically sends to Apple servers unsaved documents being
      edited</a>. The <a
      things you have not decided to save are even more sensitive than
      the things you have stored in files</a>.</p>

  <li><p>Apple has made various
      <a href="http://www.theguardian.com/technology/2014/nov/04/apple-data-privacy-icloud">
      MacOS programs send files to Apple servers without asking
      permission</a>. This exposes the files to Big Brother and perhaps to
      other snoops.</p>

      <p>It also demonstrates how you can't trust proprietary software,
      because even if today's version doesn't have a malicious
      functionality, tomorrow's version might add it. The developer won't
      remove the malfeature unless many users push back hard, and the users
      can't remove it themselves.</p>

  <li><p>Various operations in
      <a href="http://lifehacker.com/safari-and-spotlight-can-send-data-to-apple-heres-how-1648453540">
      the latest MacOS send reports to Apple</a> servers.</p>

  <li><p>Apple admits the
      <a href="http://www.intego.com/mac-security-blog/spotlight-suggestions-in-os-x-yosemite-and-ios-are-you-staying-private/">
      spying in a search facility</a>, but there's a lot
      <a href="https://github.com/fix-macosx/yosemite-phone-home">
      more snooping that Apple has not talked about</a>.</p>

  <li><p><a href="http://finance.yahoo.com/blogs/the-exchange/privacy-advocates-worry-over-new-apple-iphone-tracking-feature-161836223.html">
      Spotlight search</a> sends users' search terms to Apple.</p>

<p>There's a lot more <a href="#SpywareIniThings">iThing spyware</a>, and
<a href="/proprietary/malware-apple.html">Apple malware</a>.</p>

<div class="big-subsection">
  <h4 id="SpywareInAndroid">Spyware in Android</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInAndroid">#SpywareInAndroid</a>)</span>

    than <a href="https://www.theguardian.com/technology/2018/apr/16/child-apps-games-android-us-google-play-store-data-sharing-law-privacy">50%
    of the 5,855 Android apps studied by researchers were found to
    snoop and collect information about its users</a>.  40% of the
    apps were found to insecurely snitch on its users.  Furthermore,
    they could detect only some methods of snooping, in these
    proprietary apps whose source code they cannot look at.  The other
    apps might be snooping in other ways.</p>

  <p>This is evidence that proprietary apps generally work against
    their users.  To protect their privacy and freedom, Android users need
    to get rid of the proprietary software—both proprietary Android
    by <a href="https://replicant.us">switching to Replicant</a>, and
    the proprietary apps by getting apps from the free software
    only <a href="https://f-droid.org/">F-Droid store</a>
    that <a href="https://f-droid.org/wiki/page/Antifeatures">
    prominently warns the user if an app contains

  <p>20 dishonest Android apps
      recorded <a href="https://arstechnica.com/information-technology/2017/07/stealthy-google-play-apps-recorded-calls-and-stole-e-mails-and-texts">phone
      calls and sent them and text messages and emails to

  <p>Google did not intend to make these apps spy; on the contrary, it
    worked in various ways to prevent that, and deleted these apps
    after discovering what they did. So we cannot blame Google
    specifically for the snooping of these apps.</p>

  <p>On the other hand, Google redistributes nonfree Android apps, and
    therefore shares in the responsibility for the injustice of their
    being nonfree. It also distributes its own nonfree apps, such as
    Play, <a href="/philosophy/free-software-even-more-important.html">which
      are malicious</a>.</p>

  <p>Could Google have done a better job of preventing apps from
    cheating?  There is no systematic way for Google, or Android
    users, to inspect executable proprietary apps to see what they

  <p>Google could demand the source code for these apps, and study the
    source code somehow to determine whether they mistreat users in
    various ways. If it did a good job of this, it could more or less
    prevent such snooping, except when the app developers are clever
    enough to outsmart the checking.</p>

  <p>But since Google itself develops malicious apps, we cannot trust
    Google to protect us. We must demand release of source code to the
    public, so we can depend on each other.</p>
    <a href="https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf">
      research paper</a> that investigated the privacy and security
    of 283 Android VPN apps concluded that “in spite of the
    promises for privacy, security, and anonymity given by the
    majority of VPN apps—millions of users may be unawarely subject
    to poor security guarantees and abusive practices inflicted by
    VPN apps.”</p>

  <p>Following is a non-exhaustive list of proprietary VPN apps from
    the research paper that tracks and infringes the privacy of

    <dd>Includes tracking libraries such as NativeX and Appflood,
      meant to track users and show them targeted ads.</dd>

    <dt>sFly Network Booster</dt>
    <dd>Requests the <code>READ_SMS</code> and <code>SEND_SMS</code>
      permissions upon installation, meaning it has full access to
      users' text messages.</dd>

    <dt>DroidVPN and TigerVPN</dt>
    <dd>Requests the <code>READ_LOGS</code> permission to read logs
      for other apps and also core system logs. TigerVPN developers
      have confirmed this.</dd>

    <dd>Sends traffic to LinkedIn. Also, it stores detailed logs
      and may turn them over to the UK government if

    <dt>VPN Services HotspotShield</dt>
    <dd>Injects JavaScript code into the HTML pages returned to the
      users. The stated purpose of the JS injection is to display
      ads. Uses roughly 5 tracking libraries. Also, it redirects the
      user's traffic through valueclick.com (an advertising

    <dt>WiFi Protector VPN</dt>
    <dd>Injects JavaScript code into HTML pages, and also uses
      roughly 5 tracking libraries. Developers of this app have
      confirmed that the non-premium version of the app does
      JavaScript injection for tracking and display ads.</dd>
  <p><a href="http://www.privmetrics.org/wp-content/uploads/2015/06/wisec2015.pdf">A study in 2015</a> found that 90% of the top-ranked gratis
  proprietary Android apps contained recognizable tracking libraries. For 
  the paid proprietary apps, it was only 60%.</p>

  <p>The article confusingly describes gratis apps as “free”,
  but most of them are not in fact
  <a href="/philosophy/free-sw.html">free software</a>.
  It also uses the ugly word “monetize”. A good replacement
  for that word is “exploit”; nearly always that will fit

  <p>Apps for BART
    <a href="https://consumerist.com/2017/05/23/passengers-say-commuter-rail-app-illegally-collects-personal-user-data/">snoop on users</a>.</p>
  <p>With free software apps, users could <em>make sure</em> that they don't snoop.</p>
  <p>With proprietary apps, one can only hope that they don't.</p>

  <p>A study found 234 Android apps that track users by
	<a href="https://www.bleepingcomputer.com/news/security/234-android-applications-are-currently-using-ultrasonic-beacons-to-track-users/">listening
	to ultrasound from beacons placed in stores or played by TV programs</a>.


  <p>Pairs of Android apps can collude to transmit users' personal
	data to servers. <a href="https://www.theatlantic.com/technology/archive/2017/04/when-apps-collude-to-steal-your-data/522177/">A study found
	tens of thousands of pairs that collude</a>.</p>

<p>Google Play intentionally sends app developers <a
the personal details of users that install the app</a>.</p>

<p>Merely asking the “consent” of users is not enough
to legitimize actions like this.  At this point, most users have
stopped reading the “Terms and Conditions” that spell out
what they are “consenting” to.  Google should clearly
and honestly identify the information it collects on users, instead
of hiding it in an obscurely worded EULA.</p>

<p>However, to truly protect people's privacy, we must prevent Google
and other companies from getting this personal information in the first

    <p>Google Play (a component of Android) <a
    tracks the users' movements without their permission</a>.</p>

    <p>Even if you disable Google Maps and location tracking, you must
    disable Google Play itself to completely stop the tracking.  This is
    yet another example of nonfree software pretending to obey the user,
    when it's actually doing something else.  Such a thing would be almost
    unthinkable with free software.</p>

  <li><p>More than 73% of the most popular Android apps
  <a href="http://jots.pub/a/2015103001/index.php">share personal,
  behavioral and location information</a> of their users with third parties.</p>

  <li><p>“Cryptic communication,” unrelated to the app's functionality,
  was <a href="http://news.mit.edu/2015/data-transferred-android-apps-hiding-1119">
  found in the 500 most popular gratis Android apps</a>.</p>

  <p>The article should not have described these apps as
  “free”—they are not free software.  The clear way to say
  “zero price” is “gratis.”</p>

  <p>The article takes for granted that the usual analytics tools are
  legitimate, but is that valid?  Software developers have no right to
  analyze what users are doing or how.  “Analytics” tools that snoop are
  just as wrong as any other snooping.</p>
  <li><p>Gratis Android apps (but not <a href="/philosophy/free-sw.html">free software</a>)
      connect to 100
      <a href="http://www.theguardian.com/technology/2015/may/06/free-android-apps-connect-tracking-advertising-websites">tracking and advertising</a> URLs,
      on the average.</p>
  <li><p>Spyware is present in some Android devices when they are sold.
      Some Motorola phones modify Android to
      <a href="http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html">
      send personal data to Motorola</a>.</p>

  <li><p>Some manufacturers add a
      <a href="http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/">
      hidden general surveillance package such as Carrier IQ.</a></p>

  <li><p><a href="/proprietary/proprietary-back-doors.html#samsung">
      Samsung's back door</a> provides access to any file on the system.</p>

<!-- #SpywareOnMobiles -->
<!-- WEBMASTERS: make sure to place new items on top under each subsection -->

<div class="big-section">
  <h3 id="SpywareOnMobiles">Spyware on Mobiles</h3>
  <span class="anchor-reference-id">(<a href="#SpywareOnMobiles">#SpywareOnMobiles</a>)</span>
<div style="clear: left;"></div>

<div class="big-subsection">
  <h4 id="SpywareIniThings">Spyware in iThings</h4>
  <span class="anchor-reference-id">(<a href="#SpywareIniThings">#SpywareIniThings</a>)</span>

  <li><p>The DMCA and the EU Copyright Directive make it <a
      illegal to study how iOS cr...apps spy on users</a>, because this
      would require circumventing the iOS DRM.</p>

  <li><p>In the latest iThings system, “turning off” WiFi and Bluetooth the
      obvious way <a
      doesn't really turn them off</a>.
      A more advanced way really does turn them off—only until 5am.
      That's Apple for you—“We know you want to be spied on”.</p>
  <li><p>Apple proposes
      <a href="https://www.theguardian.com/technology/2017/feb/15/apple-removing-iphone-home-button-fingerprint-scanning-screen">a fingerprint-scanning touch screen</a>
      — which would mean no way to use it without having your fingerprints
      taken. Users would have no way to tell whether the phone is snooping on

  <li><p>iPhones <a href="https://theintercept.com/2016/11/17/iphones-secretly-send-call-history-to-apple-security-firm-says">send href="https://theintercept.com/2016/11/17/iphones-secretly-send-call-history-to-apple-security-firm-says/">send
      lots of personal data to Apple's servers</a>.  Big Brother can
        get them from there.</p>

  <li><p>The iMessage app on iThings <a href="https://theintercept.com/2016/09/28/apple-logs-your-imessage-contacts-and-may-share-them-with-police/">tells
        a server every phone number that the user types into it</a>; the server records these numbers for at least 30

  <li><p>Users cannot make an Apple ID <a href="http://apple.stackexchange.com/questions/49951/how-can-i-download-free-apps-without-registering-an-apple-idcool">(necessary
      (necessary to install even gratis apps)</a>
      without giving a valid email address and receiving the code Apple
      sends to it.</p>

  <li><p>Around 47% of the most popular iOS apps
      <a class="not-a-duplicate" 
	 href="http://jots.pub/a/2015103001/index.php">share personal,
	behavioral and location information</a> of their users with third parties.</p>

  <li><p>iThings automatically upload to Apple's servers all the photos and
      videos they make.</p>

      iCloud Photo Library stores every photo and video you take,
      and keeps them up to date on all your devices.
      Any edits you make are automatically updated everywhere. [...]

    <p>(From <a href="https://www.apple.com/icloud/photos/">Apple's iCloud
      information</a> as accessed on 24 Sep 2015.) The iCloud feature is
      <a href="https://support.apple.com/en-us/HT202033">activated by the
      startup of iOS</a>. The term “cloud” means
      “please don't ask where.”</p>

    <p>There is a way to <a href="https://support.apple.com/en-us/HT201104">
      deactivate iCloud</a>, but it's active by default so it still counts as a
      surveillance functionality.</p>

    <p>Unknown people apparently took advantage of this to
      <a href="https://www.theguardian.com/technology/2014/sep/01/naked-celebrity-hack-icloud-backup-jennifer-lawrence">get
      nude photos of many celebrities</a>. They needed to break Apple's
      security to get at them, but NSA can access any of them through
      <a href="/philosophy/surveillance-vs-democracy.html#digitalcash">PRISM</a>.

  <li><p>Spyware in iThings:
      the <a class="not-a-duplicate"
	iBeacon</a> lets stores determine exactly where the iThing is,
      and get other info too.</p>

  <li><p>There is also a feature for web sites to track users, which is
      <a href="http://nakedsecurity.sophos.com/2012/10/17/how-to-disable-apple-ios-user-tracking-ios-6/">
      enabled by default</a>.  (That article talks about iOS 6, but it
      is still true in iOS 7.)</p>

  <li><p>The iThing also
      tells Apple its geolocation</a> by default, though that can be
      turned off.</p>

  <li><p>Apple can, and regularly does,
      <a href="http://arstechnica.com/apple/2014/05/new-guidelines-outline-what-iphone-data-apple-can-give-to-police/">
      remotely extract some data from iPhones for the state</a>.</p>

  <li><p><a href="http://www.zerohedge.com/news/2013-12-30/how-nsa-hacks-your-iphone-presenting-dropout-jeep">
      Either Apple helps the NSA snoop on all the data in an iThing,
      or it is totally incompetent.</a></p>

  <li><p><a href="http://www.theguardian.com/technology/2014/jul/23/iphone-backdoors-surveillance-forensic-services">
      Several “features” of iOS seem to exist for no
      possible purpose other than surveillance</a>.  Here is the
      <a href="http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms_Moved.pdf">
      Technical presentation</a>.</p>

<div class="big-subsection">
  <h4 id="SpywareInTelephones">Spyware in Telephones</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInTelephones">#SpywareInTelephones</a>)</span>

  <li><p>Tracking software in popular Android apps is pervasive and
      sometimes very clever. Some trackers can <a
      follow a user's movements around a physical store by noticing WiFi

  <li><p>Android tracks location for Google <a
      even when “location services” are turned off, even
      when the phone has no SIM card</a>.</p></li>

  <li><p>Some portable phones <a href="http://www.prnewswire.com/news-releases/kryptowire-discovered-mobile-phone-firmware-that-transmitted-personally-identifiable-information-pii-without-user-consent-or-disclosure-300362844.html">are
      sold with spyware sending lots of data to China</a>.</p></li>

  <li><p>According to Edward Snowden,
      <a href="http://www.bbc.com/news/uk-34444233">agencies can take over smartphones</a>
      by sending hidden text messages which enable them to turn the phones
      on and off, listen to the microphone, retrieve geo-location data from the
      GPS, take photographs, read text messages, read call, location and web
      browsing history, and read the contact list. This malware is designed to
      disguise itself from investigation.</p>

  <li><p>Samsung phones come with
      <a href="http://arstechnica.com/gadgets/2015/07/samsung-sued-for-loading-devices-with-unremovable-crapware-in-china/">apps that users can't delete</a>,
      and they send so much data that their transmission is a
      substantial expense for users.  Said transmission, not wanted or
      requested by the user, clearly must constitute spying of some

  <li><p>A Motorola phone
      <a href="http://www.itproportal.com/2013/07/25/motorolas-new-x8-arm-chip-underpinning-the-always-on-future-of-android/">
      listens for voice all the time</a>.</p>

  <li><p>Spyware in Android phones (and Windows? laptops): The Wall
      Street Journal (in an article blocked from us by a paywall)
      reports that
      <a href="http://www.theverge.com/2013/8/1/4580718/fbi-can-remotely-activate-android-and-laptop-microphones-reports-wsj">
      the FBI can remotely activate the GPS and microphone in Android
      phones and laptops</a>.
      (I suspect this means Windows laptops.)  Here is
      <a href="http://cryptome.org/2013/08/fbi-hackers.htm">more info</a>.</p>

  <li><p>Portable phones with GPS will send their GPS location on
      remote command and users cannot stop them:
      <a href="http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers">
      (The US says it will eventually require all new portable phones
      to have GPS.)</p>

  <li><p>The nonfree Snapchat app's principal purpose is to restrict
      the use of data on the user's computer, but it does surveillance
      too: <a href="http://www.theguardian.com/media/2013/dec/27/snapchat-may-be-exposed-hackers">
      it tries to get the user's list of other people's phone

<div class="big-subsection">
  <h4 id="SpywareInMobileApps">Spyware in Mobile Applications</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInMobileApps">#SpywareInMobileApps</a>)</span>

  <li><p>The Spanish football streaming app
      <a href="https://boingboing.net/2018/06/11/spanish-football-app-turns-use.html">tracks
        the user's movements and listens through the

    <p>This makes them act as spies for licensing enforcement.</p>

    <p>I expect it implements DRM, too—that there is no way to
      save a recording. But I can't be sure from the article.</p>

    <p>If you learn to care much less about sports, you will benefit
      in many ways. This is one more.</p>

  <li><p>Grindr collects information about <a
    which users are HIV-positive, then provides the information to

    <p>Grindr should not have so much information about its users.
    It could be designed so that users communicate such info to each other
    but not to the server's database.</p>

    <p>The moviepass app and dis-service spy on users even more than users
      expected. It <a href="https://techcrunch.com/2018/03/05/moviepass-ceo-proudly-says-the-app-tracks-your-location-before-and-after-movies/">records
        where they travel before and after going to a movie</a>.

    <p>Don't be tracked — pay cash!</p>

  <li><p>AI-powered driving apps can
    <a href="https://motherboard.vice.com/en_us/article/43nz9p/ai-powered-driving-apps-can-track-your-every-move">
    track your every move</a>.</p>

  <li><p>The Sarahah app 
      <a href="https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/">
      uploads all phone numbers and email addresses</a> in user's address
      book to developer's server.  Note that this article misuses the words
      “<a href="/philosophy/free-sw.html">free software</a>”
      referring to zero price.</p>
    <p>Facebook's app listens all the time, <a href="http://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-using-people-s-phones-to-listen-in-on-what-they-re-saying-claims-professor-a7057526.html">to snoop
    on what people are listening to or watching</a>. In addition, it may
    be analyzing people's conversations to serve them with targeted

		<p>Faceapp appears to do lots of surveillance, judging by 
    <a href="https://www.washingtonpost.com/news/the-intersect/wp/2017/04/26/everything-thats-wrong-with-faceapp-the-latest-creepy-photo-app-for-your-face/">
		how much access it demands to personal data in the device</a>.

   <p>Verizon <a href="https://yro.slashdot.org/story/17/03/30/0112259/verizon-to-force-appflash-spyware-on-android-phones">
	 announced an opt-in proprietary search app that it will</a>
	 pre-install on some of its phones. The app will give Verizon the same
   information about the users' searches that Google normally gets when
   they use its search engine.</p>

   <p>Currently, the app is <a href="https://www.eff.org/deeplinks/2017/04/update-verizons-appflash-pre-installed-spyware-still-spyware">
    being pre-installed on only one phone</a>, and the
    user must explicitly opt-in before the app takes effect. However, the
    app remains spyware—an “optional” piece of spyware is
    still spyware.</p>

  <li><p>The Meitu photo-editing
  app <a href="https://theintercept.com/2017/01/21/popular-selfie-app-sending-user-data-to-china-researchers-say/">sends
  user data to a Chinese company</a>.</p></li>

  <li><p>A pregnancy test controller application not only
  can <a href="http://www.theverge.com/2016/4/25/11503718/first-response-pregnancy-pro-test-bluetooth-app-security">spy
  on many sorts of data in the phone, and in server accounts, it can
  alter them too</a>.

  <li><p>The Uber app tracks <a href="https://techcrunch.com/2016/11/28/uber-background-location-data-collection/">clients'
        movements before and after the ride</a>.</p>

        <p>This example illustrates how “getting the user's consent”
        for surveillance is inadequate as a protection against massive

  <li><p>Google's new voice messaging app <a href="http://www.theverge.com/2016/9/21/12994362/allo-privacy-message-logs-google">logs
      all conversations</a>.</p>

  <li><p>Apps that include 
      <a href="http://techaeris.com/2016/01/13/symphony-advanced-media-software-tracks-your-digital-life-through-your-smartphone-mic/">
      Symphony surveillance software snoop on what radio and TV programs 
      are playing nearby</a>.  Also on what users post on various sites 
      such as Facebook, Google+ and Twitter.</p>

  <li><p>Facebook's new Magic Photo app
scans your mobile phone's photo collections for known faces</a>,
      and suggests you to share the picture you take according to who
      is in the frame.</p>

      <p>This spyware feature seems to require online access to some
      known-faces database, which means the pictures are likely to be
      sent across the wire to Facebook's servers and face-recognition

      <p>If so, none of Facebook users' pictures are private
      anymore, even if the user didn't “upload” them to the service.</p>

  <li><p>Like most “music screaming” disservices, Spotify
      is based on proprietary malware (DRM and snooping). In August
      2015 it <a
      demanded users submit to increased snooping</a>, and some
      are starting to realize that it is nasty.</p>

      <p>This article shows the <a
      twisted ways that they present snooping as a way
      to “serve” users better</a>—never mind
      whether they want that. This is a typical example of
      the attitude of the proprietary software industry towards
      those they have subjugated.</p>

      <p>Out, out, damned Spotify!</p>
  <li><p>Many proprietary apps for mobile devices report which other
    apps the user has
    installed.  <a href="http://techcrunch.com/2014/11/26/twitter-app-graph/">Twitter
    is doing this in a way that at least is visible and
    optional</a>. Not as bad as what the others do.</p>

  <li><p>FTC says most mobile apps for children don't respect privacy:
      <a href="http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/">

  <li><p>Widely used <a href="https://freedom-to-tinker.com/blog/kollarssmith/scan-this-or-scan-me-user-privacy-barcode-scanning-applications/">proprietary
      QR-code scanner apps snoop on the user</a>. This is in addition to
      the snooping done by the phone company, and perhaps by the OS in the

      <p>Don't be distracted by the question of whether the app developers get
      users to say “I agree”. That is no excuse for malware.</p>

  <li><p>The Brightest Flashlight app
      <a href="http://www.theguardian.com/technology/2013/dec/06/android-app-50m-downloads-sent-data-advertisers">
      sends user data, including geolocation, for use by companies.</a></p>

      <p>The FTC criticized this app because it asked the user to
      approve sending personal data to the app developer but did not
      ask about sending it to other companies.  This shows the
      weakness of the reject-it-if-you-dislike-snooping
      “solution” to surveillance: why should a flashlight
      app send any information to anyone?  A free software flashlight
      app would not.</p>

<div class="big-subsection">
  <h4 id="SpywareInToys">Spyware in Toys</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInToys">#SpywareInToys</a>)</span>


    <p>A remote-control sex toy was found to make <a href="https://www.theverge.com/2017/11/10/16634442/lovense-sex-toy-spy-survei">audio recordings
        of the conversation between two users</a>.</p>

    <p>The “smart” toys My Friend Cayla and i-Que transmit 
      <a href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws">children's conversations to Nuance Communications</a>,
      a speech recognition company based in the U.S.</p>

    <p>Those toys also contain major security vulnerabilities; crackers
      can remotely control the toys with a mobile phone. This would
      enable crackers to listen in on a child's speech, and even speak
      into the toys themselves.</p>

    <p>A computerized vibrator
      <a href="https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack">
	was snooping on its users through the proprietary control app</a>.</p>
    <p>The app was reporting the temperature of the vibrator minute by
      minute (thus, indirectly, whether it was surrounded by a person's
      body), as well as the vibration frequency.</p>
    <p>Note the totally inadequate proposed response: a labeling
      standard with which manufacturers would make statements about
      their products, rather than free software which users could have
      checked and changed.</p>
    <p>The company that made the vibrator
      <a href="https://www.theguardian.com/us-news/2016/sep/14/wevibe-sex-toy-data-collection-chicago-lawsuit">
	was sued for collecting lots of personal information about how
	people used it</a>.</p>
    <p>The company's statement that it was anonymizing the data may be
      true, but it doesn't really matter. If it had sold the data to a
      data broker, the data broker would have been able to figure out
      who the user was.</p>
    <p>Following this lawsuit,
      <a href="https://www.theguardian.com/technology/2017/mar/14/we-vibe-vibrator-tracking-users-sexual-habits">
	the company has been ordered to pay a total of C$4m</a>
      to its customers.</p>
  <li><p> “CloudPets” toys with microphones <a href="https://www.theguardian.com/technology/2017/feb/28/cloudpets-data-breach-leaks-details-of-500000-children-and-adults">leak
      leak childrens' conversations to the manufacturer</a>. Guess what? <a href="https://motherboard.vice.com/en_us/article/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings">Crackers
      Crackers found a way to access the data</a> collected by the
      manufacturer's snooping.</p>

    <p>That the manufacturer and the FBI could listen to these conversations
      was unacceptable by itself.</p></li>
      <a href="http://www.mirror.co.uk/news/technology-science/technology/wi-fi-spy-barbie-records-childrens-5177673">is going to spy on children and adults</a>.</p>

<!-- #SpywareOnSmartWatches -->
<!-- WEBMASTERS: make sure to place new items on top under each subsection -->

<div class="big-section">
  <h3 id="SpywareOnSmartWatches">Spyware on “Smart” Watches</h3>
  <span class="anchor-reference-id">
    (<a href="#SpywareOnSmartWatches">#SpywareOnSmartWatches</a>)</span>
<div style="clear: left;"></div>

    <p>An LG “smart” watch is designed
      <a href="http://www.huffingtonpost.co.uk/2014/07/09/lg-kizon-smart-watch_n_5570234.html">
	to report its location to someone else and to transmit
	conversations too</a>.</p>
    <p>A very cheap “smart watch” comes with an Android app
      <a href="https://www.theregister.co.uk/2016/03/02/chinese_backdoor_found_in_ebays_popular_cheap_smart_watch/">
	that connects to an unidentified site in China</a>.</p>
    <p>The article says this is a back door, but that could be a
      misunderstanding.  However, it is certainly surveillance, at

<!-- #SpywareAtLowLevel -->
<!-- WEBMASTERS: make sure to place new items on top under each subsection -->

<div class="big-section">
  <h3 id="SpywareAtLowLevel">Spyware at Low Level</h3>
  <span class="anchor-reference-id">(<a href="#SpywareAtLowLevel">#SpywareAtLowLevel</a>)</span>
<div style="clear: left;"></div>

<div class="big-subsection">
  <h4 id="SpywareInBIOS">Spyware in BIOS</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInBIOS">#SpywareInBIOS</a>)</span>

<a href="http://www.computerworld.com/article/2984889/windows-pcs/lenovo-collects-usage-data-on-thinkpad-thinkcentre-and-thinkstation-pcs.html">
Lenovo stealthily installed crapware and spyware via BIOS</a> on Windows installs.
Note that the specific sabotage method Lenovo used did not affect
GNU/Linux; also, a “clean” Windows install is not really
clean since <a href="/proprietary/malware-microsoft.html">Microsoft
puts in its own malware</a>.

<!-- #SpywareAtWork -->
<!-- WEBMASTERS: make sure to place new items on top under each subsection -->

<div class="big-section">
  <h3 id="SpywareAtWork">Spyware at Work</h3>
  <span class="anchor-reference-id">(<a href="#SpywareAtWork">#SpywareAtWork</a>)</span>
<div style="clear: left;"></div>

        Shows <a href="https://www.techdirt.com/articles/20160602/17210734610/investigation-shows-gchq-using-us-companies-nsa-to-route-around-domestic-surveillance-restrictions.shtml">GCHQ
        Using US Companies, NSA To Route Around Domestic Surveillance

      <p>Specifically, it can collect the emails of members of Parliament
  this way, because they pass it through Microsoft.</p></li>

  <li><p>Spyware in Cisco TNP IP phones:
      <a href="http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html">

<div class="big-subsection">
  <h4 id="SpywareInSkype">Spyware in Skype</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInSkype">#SpywareInSkype</a>)</span>

  <li><p>Spyware in Skype:
      <a href="http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/">
      Microsoft changed Skype
      <a href="http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data">
      specifically for spying</a>.</p>

<!-- #SpywareOnTheRoad -->
<!-- WEBMASTERS: make sure to place new items on top under each subsection -->

<div class="big-section">
  <h3 id="SpywareOnTheRoad">Spyware on The Road</h3>
  <span class="anchor-reference-id">(<a href="#SpywareOnTheRoad">#SpywareOnTheRoad</a>)</span>
<div style="clear: left;"></div>

<div class="big-subsection">
  <h4 id="SpywareInCameras">Spyware in Cameras</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInCameras">#SpywareInCameras</a>)</span>

    <p>Every “home security” camera, if its manufacturer can communicate with it,
      is a surveillance device. <a
      Canary camera is an example</a>.</p>
    <p>The article describes wrongdoing by the manufacturer, based on the fact
      that the device is tethered to a server.</p>
    <p><a href="/proprietary/proprietary-tethers.html">More about proprietary tethering</a>.</p>
    <p>But it also demonstrates that the device gives the company
      surveillance capability.</p>
    <p>The Nest Cam “smart” camera is <a
        watching</a>, even when the “owner” switches it “off.”</p>
    <p>A “smart” device means the manufacturer is using it to outsmart

<div class="big-subsection">
  <h4 id="SpywareInElectronicReaders">Spyware in e-Readers</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInElectronicReaders">#SpywareInElectronicReaders</a>)</span>

  <li><p>E-books can contain JavaScript code,
    and <a href="http://www.theguardian.com/books/2016/mar/08/men-make-up-their-minds-about-books-faster-than-women-study-finds">sometimes
    this code snoops on readers</a>.</p>

  <li><p>Spyware in many e-readers—not only the
      Kindle: <a href="https://www.eff.org/pages/reader-privacy-chart-2012">
      they report even which page the user reads at what time</a>.</p>

  <li><p>Adobe made “Digital Editions,” the e-reader used
      by most US libraries,
      <a href="http://www.computerworlduk.com/blogs/open-enterprise/drm-strikes-again-3575860/">
      send lots of data to Adobe</a>.  Adobe's “excuse”: it's
      needed to check DRM!</p>

<div class="big-subsection">
  <h4 id="SpywareInVehicles">Spyware in Vehicles</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInVehicles">#SpywareInVehicles</a>)</span>

<li><p>Computerized cars with nonfree software are
  <a href="http://www.thelowdownblog.com/2016/07/your-cars-been-studying-you-closely-and.html">
  snooping devices</a>.</p>

  <li id="nissan-modem"><p>The Nissan Leaf has a built-in cell phone modem which allows
  anyone <a href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/">to
  access its computers remotely and make changes in various

    <p>That's easy to do because the system has no authentication when
    accessed through the modem.  However, even if it asked for
    authentication, you couldn't be confident that Nissan has no
    access.  The software in the car is
    proprietary, <a href="/philosophy/free-software-even-more-important.html">which
    means it demands blind faith from its users</a>.</p>

    <p>Even if no one connects to the car remotely, the cell phone
    modem enables the phone company to track the car's movements all
    the time; it is possible to physically remove the cell phone modem

  <li id="records-drivers"><p>Proprietary software in cars
      <a href="http://www.usatoday.com/story/money/cars/2013/03/24/car-spying-edr-data-privacy/1991751/">records information about drivers' movements</a>,
      which is made available to car manufacturers, insurance companies, and

      <p>The case of toll-collection systems, mentioned in this article, is not
      really a matter of proprietary surveillance. These systems are an
      intolerable invasion of privacy, and should be replaced with anonymous
      payment systems, but the invasion isn't done by malware. The other
      cases mentioned are done by proprietary malware in the car.</p></li>

  <li><p>Tesla cars allow the company to extract data remotely and
      determine the car's location at any time. (See
      <a href="http://www.teslamotors.com/sites/default/files/pdfs/tmi_privacy_statement_external_6-14-2013_v2.pdf">
      Section 2, paragraphs b and c.</a>). The company says it doesn't
      store this information, but if the state orders it to get the data
      and hand it over, the state can store it.</p>

<!-- #SpywareAtHome -->
<!-- WEBMASTERS: make sure to place new items on top under each subsection -->

<div class="big-section">
  <h3 id="SpywareAtHome">Spyware at Home</h3>
  <span class="anchor-reference-id">(<a href="#SpywareAtHome">#SpywareAtHome</a>)</span>
<div style="clear: left;"></div>

  <li><p>A medical insurance
        company <a href="https://wolfstreet.com/2018/04/14/our-dental-insurance-sent-us-free-internet-connected-toothbrushes-and-this-is-what-happened-next">
        offers a gratis electronic toothbrush that snoops on its user
        by sending usage data back over the Internet</a>.</p>

  <li><p>Lots of “smart” products are
        designed <a href="http://enews.cnet.com/ct/42931641:shoPz52LN:m:1:1509237774:B54C9619E39F7247C0D58117DD1C7E96:r:27417204357610908031812337994022">to
        listen to everyone in the house, all the time</a>.</p>

    <p>Today's technological practice does not include any way of
    making a device that can obey your voice commands without
    potentially spying on you.  Even if it is air-gapped, it could be
    saving up records about you for later examination.</p>

  <li><p>Nest thermometers
  send <a href="http://bgr.com/2014/07/17/google-nest-jailbreak-hack">a
  lot of data about the user</a>.</p>

  <li><p><a href="http://consumerman.com/Rent-to-own%20giant%20accused%20of%20spying%20on%20its%20customers.htm">
      Rent-to-own computers were programmed to spy on their renters</a>.</p>

<div class="big-subsection">
  <h4 id="SpywareInTVSets">Spyware in TV Sets</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInTVSets">#SpywareInTVSets</a>)</span>

<p>Emo Phillips made a joke: The other day a woman came up to me and
said, “Didn't I see you on television?” I said, “I
don't know. You can't see out the other way.” Evidently that was
before Amazon “smart” TVs.</p>

  <li><p>Some “Smart” TVs
      automatically <a href="https://news.ycombinator.com/item?id=16727319">load
      downgrades that install a surveillance app</a>.</p>

    <p>We link to the article for the facts it presents. It is too bad
      that the article finishes by advocating the moral weakness of
      surrendering to Netflix. The Netflix
      app <a href="/proprietary/malware-google.html#netflix-app-geolocation-drm">is
      malware too</a>.</p>

    “smart” <a href="https://www.ftc.gov/news-events/blogs/business-blog/2017/02/what-vizio-was-doing-behind-tv-screen">TVs
    report everything that is viewed on them, and not just broadcasts
    and cable</a>. Even if the image is coming from the user's own
    computer, the TV reports what it is. The existence of a way to
    disable the surveillance, even if it were not hidden as it was in
    these TVs, does not legitimize the surveillance.</p>

  <li><p>More or less all “smart” TVs <a
  on their users</a>.</p>

    <p>The report was as of 2014, but we don't expect this has got better.</p>

    <p>This shows that laws requiring products to get users' formal
      consent before collecting personal data are totally inadequate.
      And what happens if a user declines consent?  Probably the TV
      will say, “Without your consent to tracking, the TV will
      not work.”</p>

    <p>Proper laws would say that TVs are not allowed to report what
      the user watches — no exceptions!</p>
  <li><p>Vizio goes a step further than other TV manufacturers in spying on 
      their users: their <a href="http://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you">
      “smart” TVs analyze your viewing habits in detail and 
      link them your IP address</a> so that advertisers can track you 
      across devices.</p>
      <p>It is possible to turn this off, but having it enabled by default
      is an injustice already.</p>
  <li><p>Tivo's alliance with Viacom adds 2.3 million households to
      the 600 millions social media profiles the company already
      monitors. Tivo customers are unaware they're being watched by
      advertisers. By combining TV viewing information with online
      social media participation, Tivo can now <a href="http://www.reuters.com/article/viacom-tivo-idUSL1N12U1VV20151102">correlate TV
      advertisement with online purchases</a>, exposing all users to
      new combined surveillance by default.</p></li>
  <li><p>Some web and TV advertisements play inaudible sounds to be
      picked up by proprietary malware running on other devices in
      range so as to determine that they are nearby.  Once your
      Internet devices are paired with your TV, advertisers can
      correlate ads with Web activity, and
      other <a href="http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/">cross-device tracking</a>.</p>
  <li><p>Vizio “smart” TVs recognize and
      <a href="http://www.engadget.com/2015/07/24/vizio-ipo-inscape-acr/">track what people are watching</a>,
      even if it isn't a TV channel.</p>
  <li><p>The Amazon “Smart” TV
      <a href="http://www.theguardian.com/technology/shortcuts/2014/nov/09/amazon-echo-smart-tv-watching-listening-surveillance">is
      snooping all the time</a>.</p>
  <li><p>The Samsung “Smart” TV
      <a href="http://www.consumerreports.org/cro/news/2015/02/who-s-the-third-party-that-samsung-and-lg-smart-tvs-are-sharing-your-voice-data-with/index.htm">transmits users' voice on the internet to another
    company, Nuance</a>.  Nuance can save it and would then have to
      give it to the US or some other government.</p>
      <p>Speech recognition is not to be trusted unless it is done
    by free software in your own computer.</p>

      <p>In its privacy policy, Samsung explicitly confirms
      that <a href="http://theweek.com/speedreads/538379/samsung-warns-customers-not-discuss-personal-information-front-smart-tvs">voice
      data containing sensitive information will be transmitted to
      third parties</a>.</p>
  <li><p>Spyware in
      <a href="http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html">
      LG “smart” TVs</a> reports what the user watches, and
      the switch to turn this off has no effect.  (The fact that the
      transmission reports a 404 error really means nothing; the server
      could save that data anyway.)</p>

      <p>Even worse, it
      <a href="http://rambles.renney.me/2013/11/lg-tv-logging-filenames-from-network-folders/">
      snoops on other devices on the user's local network.</a></p>

      <p>LG later said it had installed a patch to stop this, but any product
      could spy this way.</p>

      <p>Meanwhile, LG TVs
      <a href="http://www.techdirt.com/articles/20140511/17430627199/lg-will-take-smart-out-your-smart-tv-if-you-dont-agree-to-share-your-viewing-search-data-with-third-parties.shtml"> do lots of spying anyway</a>.</p>
      <p><a href="http://arstechnica.com/business/2015/05/verizon-fios-reps-know-what-tv-channels-you-watch/">Verizon cable TV snoops on what programs people watch, and even what they wanted to record.</a></p>

<!-- #SpywareInGames -->
<div class="big-section">
  <h3 id="SpywareInGames">Spyware in Games</h3>
  <span class="anchor-reference-id">(<a href="#SpywareInGames">#SpywareInGames</a>)</span>
<div style="clear: left;"></div>

    <p>ArenaNet surreptitiously installed a spyware program along with an
      update to the massive multiplayer game Guild War 2.  The spyware
      allowed ArenaNet <a href="https://techraptor.net/content/arenanet-used-spyware-anti-cheat-for-guild-wars-2-banwave">
      to snoop on all open processes running on its user's

    <p>The driver for a certain gaming keyboard <a href="https://thehackernews.com/2017/11/mantistek-keyboard-keylogger.html">sends information
        to China</a>.</p>

  <li><p>nVidia's proprietary GeForce Experience <a href="http://www.gamersnexus.net/industry/2672-geforce-experience-data-transfer-analysis">makes
      users identify themselves and then sends personal data about them to
      nVidia servers</a>.</p>

  <li><p>Angry Birds
      <a href="http://www.nytimes.com/2014/01/28/world/spy-agencies-scour-phone-apps-for-personal-data.html">
      spies for companies, and the NSA takes advantage to spy through it too</a>.
      Here's information on
      <a href="http://confabulator.blogspot.com/2012/11/analysis-of-what-information-angry.html">
      more spyware apps</a>.</p>
      <p><a href="http://www.propublica.org/article/spy-agencies-probe-angry-birds-and-other-apps-for-personal-data">
      More about NSA app spying</a>.</p>

      <a href="http://www.thestar.com/news/canada/2015/12/29/how-much-data-are-video-games-collecting-about-you.html/">
      video game consoles snoop on their users and report to the 
      internet</a>— even what their users weigh.</p>

      <p>A game console is a computer, and you can't trust a computer with 
      a nonfree operating system.</p>

  <li><p>Modern gratis game cr…apps
      <a href="http://toucharcade.com/2015/09/16/we-own-you-confessions-of-a-free-to-play-producer/">
      collect a wide range of data about their users and their users' 
      friends and associates</a>.</p>

      <p>Even nastier, they do it through ad networks that merge the data
      collected by various cr…apps and sites made by different 

      <p>They use this data to manipulate people to buy things, and hunt 
      for “whales” who can be led to spend a lot of money. They 
      also use a back door to manipulate the game play for specific players.</p>

      <p>While the article describes gratis games, games that cost money 
      can use the same tactics.</p>    

<!-- #SpywareAtRecreation -->
<div class="big-section">
  <h3 id="SpywareAtRecreation">Spyware at Recreation</h3>
  <span class="anchor-reference-id">
    (<a href="#SpywareAtRecreation">#SpywareAtRecreation</a>)</span>
<div style="clear: left;"></div>

  <li><p>Users are suing Bose for
      <a href="https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/">
	distributing a spyware app for its headphones</a>.
      Specifically, the app would record the names of the audio files
      users listen to along with the headphone's unique serial number.
    <p>The suit accuses that this was done without the users' consent.
      If the fine print of the app said that users gave consent for this,
      would that make it acceptable? No way! It should be flat out
      <a href="/philosophy/surveillance-vs-democracy.html">
	illegal to design the app to snoop at all</a>.

<!-- #SpywareOnTheWeb -->

<div class="big-section">
  <h3 id="SpywareOnTheWeb">Spyware on the Web</h3>
  <span class="anchor-reference-id">(<a href="#SpywareOnTheWeb">#SpywareOnTheWeb</a>)</span>
<div style="clear: left;"></div>

<p>In addition, many web sites spy on their visitors.  Web sites are not
   programs, so it
   <a href="/philosophy/network-services-arent-free-or-nonfree.html">
   makes no sense to call them “free” or “proprietary”</a>,
   but the surveillance is an abuse all the same.</p>

  <li><p> The Storyful
      program <a href="https://www.theguardian.com/world/2018/may/17/revealed-how-storyful-uses-tool-monitor-what-journalists-watch">spies
      on the reporters that use it</a>.

  <li><p>When a page uses Disqus for
  comments, <a href="https://blog.dantup.com/2017/01/visiting-a-site-that-uses-disqus-comments-when-not-logged-in-sends-the-url-to-facebook">the
  proprietary Disqus software loads a Facebook software package into
  the browser of every anonymous visitor to the page, and makes the
  page's URL available to Facebook</a>.

  <li><p>Online sales, with tracking and surveillance of customers, <a href="https://www.theguardian.com/commentisfree/2016/dec/06/cookie-monsters-why-your-browsing-history-could-mean-rip-off-prices">enables
      businesses to show different people different prices</a>. Most
      of the tracking is done by recording interactions with
      servers, but proprietary software contributes.</p>

  <li><p><a href="http://japandailypress.com/government-warns-agencies-against-using-chinas-baidu-application-after-data-transmissions-discovered-2741553/"> href="https://www.techrepublic.com/blog/asian-technology/japanese-government-warns-baidu-ime-is-spying-on-users/">
      Baidu's Japanese-input and Chinese-input apps spy on users.</a></p>

  <li><p>Pages that contain “Like” buttons <a href="http://www.smh.com.au/technology/technology-news/facebooks-privacy-lie-aussie-exposes-tracking-as-new-patent-uncovered-20111004-1l61i.html">
      enable Facebook to track visitors to those pages</a>—even
      users that don't have Facebook accounts.</p>

  <li><p>Many web sites rat their visitors to advertising networks that track
      users.  Of the top 1000 web sites, <a
      (as of 5/17/2012) fed their visitors third-party cookies, allowing other
      sites to track them</a>.</p>

  <li><p>Many web sites report all their visitors to Google by using
      the Google Analytics service, which
      <a href="http://www.pcworld.idg.com.au/article/434164/google_analytics_breaks_norwegian_privacy_laws_local_agency_said/">
      tells Google the IP address and the page that was visited.</a></p>

  <li><p>Many web sites try to collect users' address books (the
      user's list of other people's phone numbers or email addresses).
      This violates the privacy of those other people.</p>

  <li><p><a href="http://www.itproportal.com/2014/05/14/microsoft-openly-offered-cloud-data-fbi-and-nsa/">
      Microsoft SkyDrive allows the NSA to directly examine users' data</a>.</p>

<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
<div class="big-subsection">
  <h4 id="SpywareInFlash">Spyware in JavaScript and Flash</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInFlash">#SpywareInFlash</a>)</span>

    <p>British Airways
      used <a href="https://www.theverge.com/2018/7/19/17591732/british-airways-gdpr-compliance-twitter-personal-data-security">nonfree
      JavaScript on its web site to give other companies personal data
      on its customers</a>.</p>

    <p>Some JavaScript malware <a
    swipes usernames from browser-based password managers</a>.</p>

    <p>Some websites send JavaScript code to collect all the user's
    input, <a href="https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/">which can then
        be used to reproduce the whole session</a>.</p>

    <p>If you use LibreJS, it will block that malicious JavaScript

  <li><p>Many web sites use JavaScript code <a
    to snoop on information that users have typed into a form but not
    sent</a>, in order to learn their identity. Some are <a
    getting sued</a> for this.</p>

  <li><p>Flash Player's
      <a href="http://www.imasuper.com/66/technology/flash-cookies-the-silent-privacy-killer/">
      cookie feature helps web sites track visitors</a>.</p>

  <li><p>Flash and JavaScript are also used for
      <a href="http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/">
      “fingerprinting” devices</a> to identify users.</p>

<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
<div class="big-subsection">
  <h4 id="SpywareInChrome">Spyware in Chrome</h4>
  <span class="anchor-reference-id">(<a href="#SpywareInChrome">#SpywareInChrome</a>)</span>

  <li><p>Google Chrome
      <a href="https://www.brad-x.com/2013/08/04/google-chrome-is-spyware/">
	spies on browser history, affiliations</a>,
      and other installed software.
  <li><p>Google Chrome contains a key logger that
      <a href="http://www.favbrowser.com/google-chrome-spyware-confirmed/">
	sends Google every URL typed in</a>, one key at a time.</p>
  <li><p>Google Chrome includes a module that
      <a href="https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/">
	activates microphones and transmits audio to its servers</a>.</p>
  <li><p>Google Chrome makes it easy for an extension to do <a
    snooping on the user's browsing</a>, and many of them do so.</p>

<!-- #SpywareInDrones -->
<div class="big-section">
  <h3 id="SpywareInDrones">Spyware in Drones</h3>
  <span class="anchor-reference-id">(<a href="#SpywareInDrones">#SpywareInDrones</a>)</span>
<div style="clear: left;"></div>

    <p>While you're using a DJI drone to snoop on other people, DJI is in many
      cases <a href="https://www.theverge.com/2017/8/4/16095244/us-army-stop-using-dji-drones-cybersecurity">snooping on you</a>.</p>

<!-- #SpywareEverywhere -->
<div class="big-section">
  <h3 id="SpywareEverywhere">Spyware Everywhere</h3>
  <span class="anchor-reference-id">(<a href="#SpywareEverywhere">#SpywareEverywhere</a>)</span>
<div style="clear: left;"></div>

  <li><p>The natural extension of monitoring people through 
      “their” phones is <a 
      proprietary software to make sure they can't “fool” the 

  <li><p><a href="http://www.pocket-lint.com/news/134954-cortana-is-always-listening-with-new-wake-on-voice-tech-even-when-windows-10-is-sleeping">
      Intel devices will be able to listen for speech all the time, even when “off.”</a></p>

<!-- #SpywareInVR -->
<div class="big-section">
    <h3 id="SpywareInVR">Spyware In VR</h3>
    <span class="anchor-reference-id">(<a href="#SpywareInVR">#SpywareInVR</a>)</span>
<div style="clear: left;"></div>

  <li><p>VR equipment, measuring every slight motion, creates the
      potential for the most intimate surveillance ever. All it takes
      to make this potential
      real <a href="https://theintercept.com/2016/12/23/virtual-reality-allows-the-most-detailed-intimate-digital-surveillance-yet/">is
      software as malicious as many other programs listed in this

    <p>You can bet Facebook will implement the maximum possible
      surveillance on Oculus Rift devices. The moral is, never trust a
      VR system with nonfree software in it.</p>

</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">

        <p>For information on coordinating and submitting translations of
        our web pages, see <a
        README</a>. -->
Please see the <a
README</a> for information on coordinating and submitting translations
of this article.</p>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.

     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).

     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2015, 2016, 2017, 2018 Free Software Foundation, Inc.</p>

<p>This page is licensed under a <a rel="license"
Commons Attribution-NoDerivatives Attribution 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2018/08/02 07:32:59 $
<!-- timestamp end -->