<!--#include virtual="/server/header.html" --> <!-- Parent-Version:1.791.92 --> <!--#set var="DISABLE_TOP_ADDENDUM" value="yes" --> <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please do not edit <ul class="blurbs">! Instead, edit /proprietary/workshop/mal.rec, then regenerate pages. See explanations in /proprietary/workshop/README.md. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> <title>Proprietary Surveillance - GNU Project - Free Software Foundation</title> <link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" /> <style type="text/css"media="print,screen"><!-- .announcementmedia="screen,print"><!-- .pict {background: none;width: 18em; margin: 2em auto; }#surveillance div.toc.pict p {width: 24.5em; max-width: 94%; margin-bottom: 1em;font-size: .9em; } @media (min-width:48em) { #surveillance div.toc46em) {float: left; width: auto; max-width: 48%; margin: .2em 0 1em; } #surveillance .medium.pict { width:43%;18em; float: right; margin:7em.3em 0 1em1.5em;2em; } } --></style> <!-- GNUN: localize URL /graphics/dog.small.jpg --> <!--#include virtual="/proprietary/po/proprietary-surveillance.translist" --> <!--#include virtual="/server/banner.html" --> <div class="nav"> <a id="side-menu-button" class="switch" href="#navlinks"> <img id="side-menu-icon" height="32" src="/graphics/icons/side-menu.png" title="Section contents" alt=" [Section contents] " /> </a> <p class="breadcrumb"> <a href="/"><img src="/graphics/icons/home.png" height="24" alt="GNU Home" title="GNU Home" /></a> / <a href="/proprietary/proprietary.html">Malware</a> / By type / </p> </div> <!--GNUN: OUT-OF-DATE NOTICE--> <!--#if expr="$OUTDATED_SINCE" --><!--#else --> <!--#if expr="$LANGUAGE_SUFFIX" --> <!--#set var="DISABLE_TOP_ADDENDUM" value="no" --> <!--#include virtual="/server/top-addendum.html" --> <!--#endif --> <!--#endif --> <div style="clear: both"></div> <div id="last-div" class="reduced-width"> <h2>Proprietary Surveillance</h2> <div class="infobox"> <hr class="full-width" /> <p>Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; <a href="/philosophy/free-software-even-more-important.html">that is the basic injustice</a>. The developers and manufacturers often exercise that power to the detriment of the users they ought to serve.</p><div class="announcement"><p>Thisdocument attempts to track <strong>clearly established cases of proprietary software that spies on or tracks users</strong>.</p> <p><a href="/proprietary/proprietary.html"> Other examplestypically takes the form ofproprietary malware</a></p>malicious functionalities.</p> <hr class="full-width" /> </div> <divid="surveillance"> <div class="pict medium">id="surveillance" class="pict"> <a href="/graphics/dog.html"> <img src="/graphics/dog.small.jpg" alt="Cartoon of a dog, wondering at the three ads that popped up on his computer screen..." /></a> <p>“How did they find out I'm a dog?”</p> </div> <divclass="toc">class="article"> <div class="italic"> <p>A common malicious functionality is to snoop on the user. This page records <strong>clearly established cases of proprietary software that spies on or tracks users</strong>. Manufacturers even refuse to <a href="https://techcrunch.com/2018/10/19/smart-home-devices-hoard-data-government-demands/">say whether they snoop on users for the state</a>.</p> <p>All appliances and applications that are tethered to a specific server are snoopers by nature. We do not list them here because they have their own page: <a href="/proprietary/proprietary-tethers.html#about-page">Proprietary Tethers</a>.</p> </div> <div class="important" style="clear: both"> <p>If you know of an example that ought to be in this page but isn't here, please write to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a> to inform us. Please include the URL of a trustworthy reference or two to serve as specific substantiation.</p> </div> <div id="TOC" class="toc-inline"> <h3 id="TableOfContents">Table of Contents</h3><ul> <li><a href="#Introduction">Introduction</a></li> <li><a<h4><a href="#Introduction">Introduction</a></h4> <h4><a href="#OSSpyware">Spyware inOperating Systems</a>Laptops and Desktops</a></h4> <ul> <li><ahref="#SpywareInWindows">Spyware in Windows</a></li>href="#SpywareInWindows">Windows</a></li> <li><ahref="#SpywareInMacOS">Spyware in MacOS</a></li>href="#SpywareInMacOS">MacOS</a></li> <li><ahref="#SpywareInAndroid">Spyware in Android</a></li>href="#SpywareInBIOS">BIOS</a></li> </ul></li> <li><a<h4><a href="#SpywareOnMobiles">Spyware onMobiles</a>Mobiles</a></h4> <ul> <li><ahref="#SpywareIniThings">Spyware in iThings</a></li>href="#SpywareInTelephones">All “Smart” Phones</a></li> <li><ahref="#SpywareInTelephones">Spyware in Telephones</a></li>href="#SpywareIniThings">iThings</a></li> <li><ahref="#SpywareInMobileApps">Spyware in Mobile Applications</a></li>href="#SpywareInAndroid">Android Telephones</a></li> <li><ahref="#SpywareInGames">Spywarehref="#SpywareInElectronicReaders">E-Readers</a></li> </ul> <h4><a href="#SpywareInApplications">Spyware inGames</a></li>Applications</a></h4> <ul> <li><ahref="#SpywareInToys">Spyware in Toys</a></li> </ul> </li>href="#SpywareInDesktopApps">Desktop Apps</a></li> <li><ahref="#SpywareAtLowLevel">Spyware at Low Level</a> <ul>href="#SpywareInMobileApps">Mobile Apps</a></li> <li><ahref="#SpywareInBIOS">Spyware in BIOS</a></li> <!--href="#SpywareInSkype">Skype</a></li> <li><ahref="#SpywareInFirmware">Spyware in Firmware</a></li> -->href="#SpywareInGames">Games</a></li> </ul></li> <li><a href="#SpywareAtWork">Spyware at Work</a><h4><a href="#SpywareInEquipment">Spyware in Connected Equipment</a></h4> <ul> <li><ahref="#SpywareInSkype">Spyware in Skype</a></li> </ul> </li>href="#SpywareInTVSets">TV Sets</a></li> <li><ahref="#SpywareOnTheRoad">Spyware on the Road</a> <ul>href="#SpywareInCameras">Cameras</a></li> <li><ahref="#SpywareInCameras">Spyware in Cameras</a></li>href="#SpywareInToys">Toys</a></li> <li><ahref="#SpywareInElectronicReaders">Spyware in e-Readers</a></li>href="#SpywareInDrones">Drones</a></li> <li><ahref="#SpywareInVehicles">Spyware in Vehicles</a></li> </ul> </li>href="#SpywareAtHome">Other Appliances</a></li> <li><ahref="#SpywareAtHome">Spyware at Home</a>href="#SpywareOnWearables">Wearables</a> <ul> <li><ahref="#SpywareInTVSets">Spyware in TV Sets</a></li>href="#SpywareOnSmartWatches">“Smart” Watches</a></li> </ul> </li> <li><ahref="#SpywareAtPlay">Spyware at Play</a></li>href="#SpywareInVehicles">Vehicles</a></li> <li><a href="#SpywareInVR">Virtual Reality</a></li> </ul> <h4><a href="#SpywareOnTheWeb">Spyware on theWeb</a>Web</a></h4> <ul> <li><ahref="#SpywareInChrome">Spyware in Chrome</a></li> <li><a href="#SpywareInFlash">Spyware in Flash</a></li> </ul> </li>href="#SpywareInChrome">Chrome</a></li> <li><ahref="#SpywareEverywhere">Spyware Everywhere</a></li>href="#SpywareInJavaScript">JavaScript</a></li> <li><ahref="#SpywareInVR">Spyware In VR</a></li>href="#SpywareInFlash">Flash</a></li> </ul></div><h4><a href="#SpywareInNetworks">Spyware in Networks</a></h4> </div> <divstyle="clear: left;"></div> <!-- #Introduction --> <divclass="big-section"> <h3 id="Introduction">Introduction</h3> </div> <div style="clear: left;"></div> <p>For decades, the Free Software movement has been denouncing the abusive surveillance machine of <a href="/proprietary/proprietary.html">proprietary software</a> companies such as <a href="/proprietary/malware-microsoft.html">Microsoft</a> and <a href="/proprietary/malware-apple.html">Apple</a>. In the recent years, this tendency to watch people has spread across industries, not only in the software business, but also in the hardware. Moreover, it also spread dramatically away from the keyboard, in the mobile computing industry, in the office, at home, in transportation systems, and in the classroom.</p><h3<h4 id="AggregateInfoCollection">AggregateInformation Collection</h3>or anonymized data</h4> <p>Many companies, in their privacy policy, have a clause that claims they share aggregate, non-personally identifiable information with third parties/partners. Such claims are worthless, for several reasons:</p> <ul> <li>They could change the policy at any time.</li> <li>They can twist the words by distributing an “aggregate” of “anonymized” data which can be reidentified and attributed to individuals.</li> <li>The raw data they don't normally distribute can be taken by data breaches.</li> <li>The raw data they don't normally distribute can be taken by subpoena.</li> </ul> <p>Therefore, we mustnever pay any attention tonot be distracted by companies' statements of whatcompanies saythey will <em>do</em> with the data they collect. The wrong is that they collect it at all.</p><h3<h4 id="LatestAdditions">Latestadditions</h3> <p>Latest additionsadditions</h4> <p>Entries in each category arefoundin reverse chronological order, based ontop under each category.</p> <!-- #OSSpyware --> <!-- WEBMASTERS: make sure to place new itemsthe dates of publication of linked articles. The latest additions are listed ontop under each subsection -->the <a href="/proprietary/proprietary.html#latest">main page</a> of the Malware section.</p> <div class="big-section"> <h3 id="OSSpyware">Spyware inOperating Systems</h3>Laptops and Desktops</h3> <span class="anchor-reference-id">(<a href="#OSSpyware">#OSSpyware</a>)</span> </div> <div style="clear: left;"></div> <div class="big-subsection"> <h4id="SpywareInWindows">Spyware in Windows</h4>id="SpywareInWindows">Windows</h4> <span class="anchor-reference-id">(<a href="#SpywareInWindows">#SpywareInWindows</a>)</span> </div><ul> <li><p>By<ul class="blurbs"> <li id="M201712110"> <p>HP's proprietary operating system <a href="http://www.bbc.com/news/technology-42309371">includes a proprietary keyboard driver with a key logger in it</a>.</p> </li> <li id="M201710134"> <p>Windows 10 telemetry program sends information to Microsoft about the user's computer and their use of the computer.</p> <p>Furthermore, for users who installed the fourth stable build of Windows 10, called the “Creators Update,” Windows maximized the surveillance <a href="https://arstechnica.com/gadgets/2017/10/dutch-privacy-regulator-says-that-windows-10-breaks-the-law"> by force setting the telemetry mode to “Full”</a>.</p> <p>The <a href="https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization#full-level"> “Full” telemetry mode</a> allows Microsoft Windows engineers to access, among other things, registry keys <a href="https://technet.microsoft.com/en-us/library/cc939702.aspx">which can contain sensitive information like administrator's login password</a>.</p> </li> <li id="M201702020"> <p>DRM-restricted files can be used to <a href="https://yro.slashdot.org/story/17/02/02/231229/windows-drm-protected-files-used-to-decloak-tor-browser-users"> identify people browsing through Tor</a>. The vulnerability exists only if you use Windows.</p> </li> <li id="M201611240"> <p>By default, Windows 10 <a href="http://betanews.com/2016/11/24/microsoft-shares-windows-10-telemetry-data-with-third-parties">sends debugging information to Microsoft, including core dumps</a>. Microsoft now distributes them to anothercompany.</p></li> <li><p>Some portable phones <a href="http://www.prnewswire.com/news-releases/kryptowire-discovered-mobile-phone-firmware-that-transmitted-personally-identifiable-information-pii-without-user-consent-or-disclosure-300362844.html">are sold with spyware sending lots of data to China</a>.</p></li> <li>Incompany.</p> </li> <li id="M201608170.1"> <p>In order to increase Windows 10's install base, Microsoft <a class="not-a-duplicate" href="https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive"> blatantly disregards user choice andprivacy</a>.privacy</a>.</p> </li><li><p><a<li id="M201603170"> <p><a href="https://duo.com/blog/bring-your-own-dilemma-oem-laptops-and-windows-10-security"> Windows 10 comes with 13 screens of snooping options</a>, all enabled by default, and turning them off would be daunting to mostusers.</p></li> <li><p><a href="https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/"> Microsoft has already backdoored its disk encryption</a>.</p></li> <li>Itusers.</p> </li> <li id="M201601050"> <p>It appears <a href="http://www.ghacks.net/2016/01/05/microsoft-may-be-collecting-more-data-than-initially-thought/"> Windows 10 sends data to Microsoft about what applications arerunning</a>.</li> <li><p>Arunning</a>.</p> </li> <li id="M201512280"> <p>Microsoft has <a href="https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/"> backdoored its disk encryption</a>.</p> </li> <li id="M201511264"> <p>A downgrade to Windows 10 deleted surveillance-detection applications. Then another downgrade inserted a general spying program. Users noticed this and complained, so Microsoft renamed it <ahref="https://web.archive.org/web/20160407082751/http://www.theregister.co.uk/2015/11/26/microsoft_renamed_data_slurper_reinserted_windows_10/">href="https://www.theregister.co.uk/2015/11/26/microsoft_renamed_data_slurper_reinserted_windows_10/"> to give users the impression it was gone</a>.</p> <p>To use proprietary software is to invite such treatment.</p> </li><li><p><li id="M201508180"> <p><a href="https://web.archive.org/web/20150905163414/http://www.pocket-lint.com/news/134954-cortana-is-always-listening-with-new-wake-on-voice-tech-even-when-windows-10-is-sleeping"> Intel devices will be able to listen for speech all the time, even when “off.”</a></p> </li> <li id="M201508130"> <p><a href="http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/"> Windows 10 sends identifiable information to Microsoft</a>, even if a user turns off its Bing search and Cortana features, and activates the privacy-protection settings.</p> </li> <li id="M201507300"> <p>Windows 10 <ahref="https://web.archive.org/web/20151001035410/https://jonathan.porta.codes/2015/07/30/windows-10-seems-to-have-some-scary-privacy-defaults/">href="https://web.archive.org/web/20180923125732/https://jonathan.porta.codes/2015/07/30/windows-10-seems-to-have-some-scary-privacy-defaults/"> ships with default settings that show no regard for the privacy of its users</a>, giving Microsoft the “right” to snoop on the users' files, text input, voice input, location info, contacts, calendar records and web browsing history, as well as automatically connecting the machines to open hotspots and showing targetedads.</p></li> <li><p> <a href="http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/"> Windows 10 sends identifiable information to Microsoft</a>, even if a user turns off its Bing search and Cortana features, and activates the privacy-protection settings.</p></li> <li><p>ads.</p> <p>We can suppose Microsoft look at users' files for the US government on demand, though the “privacy policy” does not explicitly say so. Will it look at users' files for the Chinese government on demand?</p> </li> <li id="M201506170"> <p>Microsoft uses Windows 10's “privacy policy” to overtly impose a “right” to look at users' files at any time. Windows 10 full disk encryption <a href="https://edri.org/microsofts-new-small-print-how-your-personal-data-abused/"> gives Microsoft a key</a>.</p> <p>Thus, Windows is overt malware in regard to surveillance, as in other issues.</p> <p>We can suppose Microsoft look at users' files for the US government on demand, though the “privacy policy” does not explicit say so. Will it look at users' files for the Chinese government on demand?</p> <p>The unique “advertising ID” for each user enables other companies to track the browsing of each specific user.</p> <p>It's as if Microsoft has deliberately chosen to make Windows 10 maximally evil on every dimension; to make a grab for total power over anyone that doesn't drop Windowsnow.</p></li> <li><p>Itnow.</p> </li> <li id="M201410040"> <p>It only gets worse with time. <a href="http://www.techworm.net/2014/10/microsofts-windows-10-permission-watch-every-move.html"> Windows 10 requires users to give permission for total snooping</a>, including their files, their commands, their text input, and their voice input.</p> </li><li><p><a href="http://www.infoworld.com/article/2611451/microsoft-windows/a-look-at-the-black-underbelly-of-windows-8-1--blue-.html"><li id="M201401150"> <p id="baidu-ime"><a href="https://www.techrepublic.com/blog/asian-technology/japanese-government-warns-baidu-ime-is-spying-on-users/"> Baidu's Japanese-input and Chinese-input apps spy on users</a>.</p> </li> <li id="M201307080"> <p>Spyware in older versions of Windows: <a href="https://www.theregister.co.uk/2003/02/28/windows_update_keeps_tabs/"> Windows Update snoops on the user</a>. <a href="https://www.infoworld.com/article/2611451/a-look-at-the-black-underbelly-of-windows-8-1--blue-.html"> Windows 8.1 snoops on localsearches.</a>.</p> </li> <li><p>Andsearches</a>. And there's a <a href="http://www.marketoracle.co.uk/Article40836.html"> secret NSA key in Windows</a>, whose functions we don't know.</p> </li> </ul> <p>Microsoft's snooping on users did not start with Windows 10. There's a lot more <a href="/proprietary/malware-microsoft.html"> Microsoft malware</a>.</p> <div class="big-subsection"> <h4id="SpywareInMacOS">Spyware in MacOS</h4>id="SpywareInMacOS">MacOS</h4> <span class="anchor-reference-id">(<a href="#SpywareInMacOS">#SpywareInMacOS</a>)</span> </div><ul> <li><p><a href="http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/30/how-one-mans-private-files-ended-up-on-apples-icloud-without-his-consent/"> MacOS automatically sends to Apple servers unsaved documents being edited</a>. The<ul class="blurbs"> <li id="M201809070"> <p>Adware Doctor, an ad blocker for MacOS, <ahref="https://www.schneier.com/blog/archives/2014/10/apple_copies_yo.html?utm_source=twitterfeed&utm_medium=twitter/"> things you have not decided to save are even more sensitive thanhref="https://motherboard.vice.com/en_us/article/wjye8x/mac-anti-adware-doctor-app-steals-browsing-history">reports thethings you have stored in files</a>.</p>user's browsing history</a>.</p> </li><li><p>Apple<li id="M201411040"> <p>Apple has made various <a href="http://www.theguardian.com/technology/2014/nov/04/apple-data-privacy-icloud"> MacOS programs send files to Apple servers without asking permission</a>. This exposes the files to Big Brother and perhaps to other snoops.</p> <p>It also demonstrates how you can't trust proprietary software, because even if today's version doesn't have a malicious functionality, tomorrow's version might add it. The developer won't remove the malfeature unless many users push back hard, and the users can't remove it themselves.</p> </li><li><p>Various operations in <a href="http://lifehacker.com/safari-and-spotlight-can-send-data-to-apple-heres-how-1648453540"> the latest<li id="M201410300"> <p> MacOSsend reportsautomatically <a href="https://web.archive.org/web/20170831144456/https://www.washingtonpost.com/news/the-switch/wp/2014/10/30/how-one-mans-private-files-ended-up-on-apples-icloud-without-his-consent/"> sends toApple</a> servers.</p>Apple servers unsaved documents being edited</a>. The things you have not decided to save are <a href="https://www.schneier.com/blog/archives/2014/10/apple_copies_yo.html?utm_source=twitterfeed&utm_medium=twitter/"> even more sensitive</a> than the things you have stored in files.</p> </li><li><p>Apple<li id="M201410220"> <p>Apple admits the <a href="http://www.intego.com/mac-security-blog/spotlight-suggestions-in-os-x-yosemite-and-ios-are-you-staying-private/"> spying in a search facility</a>, but there's a lot <a href="https://github.com/fix-macosx/yosemite-phone-home"> more snooping that Apple has not talked about</a>.</p> </li><li><p><a<li id="M201410200"> <p>Various operations in <a href="http://lifehacker.com/safari-and-spotlight-can-send-data-to-apple-heres-how-1648453540"> the latest MacOS send reports to Apple</a> servers.</p> </li> <li id="M201401100.1"> <p><a href="http://finance.yahoo.com/blogs/the-exchange/privacy-advocates-worry-over-new-apple-iphone-tracking-feature-161836223.html"> Spotlight search</a> sends users' search terms to Apple.</p> </li> </ul> <p>There's a lot more <a href="#SpywareIniThings">iThing spyware</a>, and <a href="/proprietary/malware-apple.html">Apple malware</a>.</p> <div class="big-subsection"> <span id="SpywareAtLowLevel"></span> <h4id="SpywareInAndroid">Spyware in Android</h4>id="SpywareInBIOS">BIOS</h4> <span class="anchor-reference-id">(<ahref="#SpywareInAndroid">#SpywareInAndroid</a>)</span>href="#SpywareInBIOS">#SpywareInBIOS</a>)</span> </div><ul> <li><p>More than 73% of the most popular Android apps <a href="http://jots.pub/a/2015103001/index.php">share personal, behavioral<ul class="blurbs"> <li id="M201509220"> <p><a href="https://www.computerworld.com/article/2984889/lenovo-collects-usage-data-on-thinkpad-thinkcentre-and-thinkstation-pcs.html"> Lenovo stealthily installed crapware andlocation information</a> of their users with third parties.</p> </li> <li><p>“Cryptic communication,” unrelated tospyware via BIOS</a> on Windows installs. Note that theapp's functionality, wasspecific sabotage method Lenovo used did not affect GNU/Linux; also, a “clean” Windows install is not really clean since <ahref="http://news.mit.edu/2015/data-transferred-android-apps-hiding-1119"> foundhref="/proprietary/malware-microsoft.html">Microsoft puts inthe 500 most popular gratis Android apps</a>.</p> <p>The article should not have described theseits own malware</a>.</p> </li> </ul> <div class="big-section"> <h3 id="SpywareOnMobiles">Spyware on Mobiles</h3> <span class="anchor-reference-id">(<a href="#SpywareOnMobiles">#SpywareOnMobiles</a>)</span> </div> <div style="clear: left;"></div> <div class="big-subsection"> <h4 id="SpywareInTelephones">All “Smart” Phones</h4> <span class="anchor-reference-id">(<a href="#SpywareInTelephones">#SpywareInTelephones</a>)</span> </div> <ul class="blurbs"> <li id="M202006260"> <p>Most appsas “free”—theyarenot free software. The clear way to say “zero price”malware, but Trump's campaign app, like Modi's campaign app, is“gratis.”</p><a href="https://www.technologyreview.com/2020/06/21/1004228/trumps-data-hungry-invasive-app-is-a-voter-surveillance-tool-of-extraordinary-scope/ ">especially nasty malware, helping companies snoop on users as well as snooping on them itself</a>.</p> <p>The articletakes for grantedsays thatthe usual analytics tools are legitimate,Biden's app has a less manipulative overall approach, butis that valid? Software developers have no right to analyze what users are doing or how. “Analytics” toolsthatsnoop are just as wrong as any other snooping.</p> </li> <li><p>Gratis Android apps (butdoes not<a href="/philosophy/free-sw.html">free software</a>) connect to 100 <a href="http://www.theguardian.com/technology/2015/may/06/free-android-apps-connect-tracking-advertising-websites">tracking and advertising</a> URLs, ontell us whether it has functionalities we consider malicious, such as sending data theaverage.</p>user has not explicitly asked to send.</p> </li><li><p>Spyware<li id="M201601110"> <p>The natural extension of monitoring people through “their” phones ispresent in some Android devices when<a href="http://www.northwestern.edu/newscenter/stories/2016/01/fool-activity-tracker.html"> proprietary software to make sure theyare sold. Some Motorola phones modify Androidcan't “fool” the monitoring</a>.</p> </li> <li id="M201510050"> <p>According to Edward Snowden, <ahref="http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html"> send personalhref="http://www.bbc.com/news/uk-34444233">agencies can take over smartphones</a> by sending hidden text messages which enable them to turn the phones on and off, listen to the microphone, retrieve geo-location data from the GPS, take photographs, read text messages, read call, location and web browsing history, and read the contact list. This malware is designed toMotorola</a>.</p>disguise itself from investigation.</p> </li><li><p>Some manufacturers add a<li id="M201311120"> <p><a href="https://web.archive.org/web/20180816030205/http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html"> The NSA can tap data in smart phones, including iPhones, Android, and BlackBerry</a>. While there is not much detail here, it seems that this does not operate via the universal back door that we know nearly all portable phones have. It may involve exploiting various bugs. There are <ahref="http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/"> hidden general surveillance package such as Carrier IQ.</a></p>href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone"> lots of bugs in the phones' radio software</a>.</p> </li><li><p><a href="/proprietary/proprietary-back-doors.html#samsung"> Samsung's back door</a> provides access to any file<li id="M201307000"> <p>Portable phones with GPS <a href="http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers"> will send their GPS location onthe system.</p>remote command, and users cannot stop them</a>. (The US says it will eventually require all new portable phones to have GPS.)</p> </li> </ul><!-- #SpywareOnMobiles --> <!-- WEBMASTERS: make sure to place new items on top under each subsection --> <div class="big-section"> <h3 id="SpywareOnMobiles">Spyware on Mobiles</h3> <span class="anchor-reference-id">(<a href="#SpywareOnMobiles">#SpywareOnMobiles</a>)</span> </div> <div style="clear: left;"></div><div class="big-subsection"> <h4id="SpywareIniThings">Spyware in iThings</h4>id="SpywareIniThings">iThings</h4> <span class="anchor-reference-id">(<a href="#SpywareIniThings">#SpywareIniThings</a>)</span> </div><ul> <li><p>iPhones<ul class="blurbs"> <li id="M201910131"> <p>Safari occasionally <ahref="https://theintercept.com/2016/11/17/iphones-secretly-send-call-history-to-apple-security-firm-says">send lots of personalhref="https://blog.cryptographyengineering.com/2019/10/13/dear-apple-safe-browsing-might-not-be-that-safe/"> sends browsing datato Apple's servers</a>. Big Brother can get themfromthere.</p> </li> <li><p>The iMessage app on iThings <a href="https://theintercept.com/2016/09/28/apple-logs-your-imessage-contacts-and-may-share-them-with-police/">tells a server every phone number that the user types into it</a>;Apple devices in China to theserver records these numbers for at least 30 days.</p>Tencent Safe Browsing service</a>, to check URLs that possibly correspond to “fraudulent” websites. Since Tencent collaborates with the Chinese government, its Safe Browsing black list most certainly contains the websites of political opponents. By linking the requests originating from single IP addresses, the government can identify dissenters in China and Hong Kong, thus endangering their lives.</p> </li><li><p>Users cannot make an Apple ID<li id="M201905280"> <p>In spite of Apple's supposed commitment to privacy, iPhone apps contain trackers that are busy at night <ahref="http://apple.stackexchange.com/questions/49951/how-can-i-download-free-apps-without-registering-an-apple-idcool">(necessaryhref="https://www.oregonlive.com/opinion/2019/05/its-3-am-do-you-know-who-your-iphone-is-talking-to.html"> sending users' personal information toinstall even gratis apps)</a> without giving a validthird parties</a>.</p> <p>The article mentions specific examples: Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post, The Weather Channel (owned by IBM), the crime-alert service Citizen, Yelp and DoorDash. But it is likely that most nonfree apps contain trackers. Some of these send personally identifying data such as phone fingerprint, exact location, email address, phone number or even delivery address (in the case of DoorDash). Once this information is collected by the company, there is no telling what it will be used for.</p> </li> <li id="M201711250"> <p>The DMCA andreceivingthecodeEU Copyright Directive make it <a href="https://boingboing.net/2017/11/25/la-la-la-cant-hear-you.html"> illegal to study how iOS cr…apps spy on users</a>, because this would require circumventing the iOS DRM.</p> </li> <li id="M201709210"> <p>In the latest iThings system, “turning off” WiFi and Bluetooth the obvious way <a href="https://www.theguardian.com/technology/2017/sep/21/ios-11-apple-toggling-wifi-bluetooth-control-centre-doesnt-turn-them-off"> doesn't really turn them off</a>. A more advanced way really does turn them off—only until 5am. That's Applesendsfor you—“We know you want toit.</p>be spied on”.</p> </li><li><p>Around 47% of<li id="M201702150"> <p>Apple proposes <a href="https://www.theguardian.com/technology/2017/feb/15/apple-removing-iphone-home-button-fingerprint-scanning-screen">a fingerprint-scanning touch screen</a>—which would mean no way to use it without having your fingerprints taken. Users would have no way to tell whether themost popular iOS appsphone is snooping on them.</p> </li> <li id="M201611170"> <p>iPhones <ahref="http://jots.pub/a/2015103001/index.php">share personal, behavioral and location information</a>href="https://theintercept.com/2016/11/17/iphones-secretly-send-call-history-to-apple-security-firm-says/">send lots oftheir users with third parties.</p>personal data to Apple's servers</a>. Big Brother can get them from there.</p> </li> <li id="M201609280"> <p>The iMessage app on iThings <a href="https://theintercept.com/2016/09/28/apple-logs-your-imessage-contacts-and-may-share-them-with-police/">tells a server every phone number that the user types into it</a>; the server records these numbers for at least 30 days.</p> </li><li><p>iThings<li id="M201509240"> <p>iThings automatically upload to Apple's servers all the photos and videos they make.</p> <blockquote><p> iCloud Photo Library stores every photo and video you take, and keeps them up to date on all your devices. Any edits you make are automatically updated everywhere.[...][…] </p></blockquote> <p>(From <a href="https://www.apple.com/icloud/photos/">Apple's iCloud information</a> as accessed on 24 Sep 2015.) The iCloud feature is <a href="https://support.apple.com/en-us/HT202033">activated by the startup of iOS</a>. The term “cloud” means “please don't ask where.”</p> <p>There is a way to <a href="https://support.apple.com/en-us/HT201104"> deactivate iCloud</a>, but it's active by default so it still counts as a surveillance functionality.</p> <p>Unknown people apparently took advantage of this to <a href="https://www.theguardian.com/technology/2014/sep/01/naked-celebrity-hack-icloud-backup-jennifer-lawrence">get nude photos of many celebrities</a>. They needed to break Apple's security to get at them, but NSA can access any of them through <ahref="/philosophy/surveillance-vs-democracy.html#digitalcash">PRISM</a>. </p></li> <li><p>Spyware in iThings: the <a href="http://finance.yahoo.com/blogs/the-exchange/privacy-advocates-worry-over-new-apple-iphone-tracking-feature-161836223.html"> iBeacon</a> lets stores determine exactly where the iThing is,href="/philosophy/surveillance-vs-democracy.html#digitalcash">PRISM</a>.</p> </li> <li id="M201409220"> <p>Apple can, andgetregularly does, <a href="http://arstechnica.com/apple/2014/05/new-guidelines-outline-what-iphone-data-apple-can-give-to-police/"> remotely extract some data from iPhones for the state</a>.</p> <p>This may have improved with <a href="https://www.denverpost.com/2014/09/17/apple-will-no-longer-unlock-most-iphones-ipads-for-police/"> iOS 8 security improvements</a>; but <a href="https://firstlook.org/theintercept/2014/09/22/apple-data/"> not as much as Apple claims</a>.</p> </li> <li id="M201407230"> <p><a href="http://www.theguardian.com/technology/2014/jul/23/iphone-backdoors-surveillance-forensic-services"> Several “features” of iOS seem to exist for no possible purpose other than surveillance</a>. Here is the <a href="http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms_Moved.pdf"> Technical presentation</a>.</p> </li> <li id="M201401100"> <p>The <a class="not-a-duplicate" href="http://finance.yahoo.com/blogs/the-exchange/privacy-advocates-worry-over-new-apple-iphone-tracking-feature-161836223.html"> iBeacon</a> lets stores determine exactly where the iThing is, and get other info too.</p> </li><li><p>There<li id="M201312300"> <p><a href="http://www.zerohedge.com/news/2013-12-30/how-nsa-hacks-your-iphone-presenting-dropout-jeep"> Either Apple helps the NSA snoop on all the data in an iThing, or it is totally incompetent</a>.</p> </li> <li id="M201308080"> <p>The iThing also <a href="https://www.theregister.co.uk/2013/08/08/ios7_tracking_now_its_a_favourite_feature/"> tells Apple its geolocation</a> by default, though that can be turned off.</p> </li> <li id="M201210170"> <p>There is also a feature for web sites to track users, which is <a href="http://nakedsecurity.sophos.com/2012/10/17/how-to-disable-apple-ios-user-tracking-ios-6/"> enabled by default</a>. (That article talks about iOS 6, but it is still true in iOS 7.)</p> </li><li><p>The iThing also <a href="https://web.archive.org/web/20160313215042/http://www.theregister.co.uk/2013/08/08/ios7_tracking_now_its_a_favourite_feature/"> tells<li id="M201204280"> <p>Users cannot make an Appleits geolocation</a> by default, though that can be turned off.</p> </li> <li><p>Apple can,ID (<a href="https://apple.stackexchange.com/questions/49951/how-can-i-download-free-apps-without-registering-an-apple-id">necessary to install even gratis apps</a>) without giving a valid email address andregularly does, <a href="http://arstechnica.com/apple/2014/05/new-guidelines-outline-what-iphone-data-apple-can-give-to-police/"> remotely extract some data from iPhones forreceiving thestate</a>.</p> </li> <li><p><a href="http://www.zerohedge.com/news/2013-12-30/how-nsa-hacks-your-iphone-presenting-dropout-jeep"> Eitherverification code Applehelps the NSA snoop on all the data in an iThing, or it is totally incompetent.</a></p> </li> <li><p><a href="http://www.theguardian.com/technology/2014/jul/23/iphone-backdoors-surveillance-forensic-services"> Several “features” of iOS seemsends toexist for no possible purpose other than surveillance</a>. Here is the <a href="http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms_Moved.pdf"> Technical presentation</a>.</p>it.</p> </li> </ul> <div class="big-subsection"> <h4id="SpywareInTelephones">Spyware inid="SpywareInAndroid">Android Telephones</h4> <span class="anchor-reference-id">(<ahref="#SpywareInTelephones">#SpywareInTelephones</a>)</span>href="#SpywareInAndroid">#SpywareInAndroid</a>)</span> </div><ul> <li><p>According to Edward Snowden,<ul class="blurbs"> <li id="M202004300"> <p>Xiaomi phones <ahref="http://www.bbc.com/news/uk-34444233">agencies can take over smartphones</a> by sending hidden text messages which enable them to turnhref="https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/">report many actions thephones onuser takes</a>: starting an app, looking at a folder, visiting a website, listening to a song. They send device identifying information too.</p> <p>Other nonfree programs snoop too. For instance, Spotify andoff, listenother streaming dis-services make a dossier about each user, and <a href="/malware/proprietary-surveillance.html#M201508210"> they make users identify themselves to pay</a>. Out, out, damned Spotify!</p> <p>Forbes exonerates themicrophone, retrieve geo-location datasame wrongs when the culprits are not Chinese, but we condemn this no matter who does it.</p> </li> <li id="M201812060"> <p>Facebook's app got “consent” to <a href="https://www.theguardian.com/technology/2018/dec/06/facebook-emails-reveal-discussions-over-call-log-consent"> upload call logs automatically from Android phones</a> while disguising what theGPS, take photographs, read text messages, read call,“consent” was for.</p> </li> <li id="M201811230"> <p>An Android phone was observed to track location even while in airplane mode. It didn't send the location data while in airplane mode. Instead, <a href="https://www.thesun.co.uk/tech/7811918/google-is-tracking-you-even-with-airplane-mode-turned-on/"> it saved up the data, andweb browsing history,sent them all later</a>.</p> </li> <li id="M201711210"> <p>Android tracks location for Google <a href="https://www.techdirt.com/articles/20171121/09030238658/investigation-finds-google-collected-location-data-even-with-location-services-turned-off.shtml"> even when “location services” are turned off, even when the phone has no SIM card</a>.</p> </li> <li id="M201611150"> <p>Some portable phones <a href="http://www.prnewswire.com/news-releases/kryptowire-discovered-mobile-phone-firmware-that-transmitted-personally-identifiable-information-pii-without-user-consent-or-disclosure-300362844.html">are sold with spyware sending lots of data to China</a>.</p> </li> <li id="M201609140"> <p>Google Play (a component of Android) <a href="https://www.extremetech.com/mobile/235594-yes-google-play-is-tracking-you-and-thats-just-the-tip-of-a-very-large-iceberg"> tracks the users' movements without their permission</a>.</p> <p>Even if you disable Google Maps andreadlocation tracking, you must disable Google Play itself to completely stop thecontact list.tracking. Thismalwareisdesignedyet another example of nonfree software pretending todisguise itself from investigation.</p>obey the user, when it's actually doing something else. Such a thing would be almost unthinkable with free software.</p> </li><li><p>Samsung<li id="M201507030"> <p>Samsung phones come with <a href="http://arstechnica.com/gadgets/2015/07/samsung-sued-for-loading-devices-with-unremovable-crapware-in-china/">apps that users can't delete</a>, and they send so much data that their transmission is a substantial expense for users. Said transmission, not wanted or requested by the user, clearly must constitute spying of somekind.</p></li> <li><p>A Motorola phone <a href="http://www.itproportal.com/2013/07/25/motorolas-new-x8-arm-chip-underpinning-the-always-on-future-of-android/"> listens for voice allkind.</p> </li> <li id="M201403120"> <p><a href="/proprietary/proprietary-back-doors.html#samsung"> Samsung's back door</a> provides access to any file on thetime</a>.</p>system.</p> </li><li><p>Spyware<li id="M201308010"> <p>Spyware in Android phones (and Windows? laptops): The Wall Street Journal (in an article blocked from us by a paywall) reports that <a href="http://www.theverge.com/2013/8/1/4580718/fbi-can-remotely-activate-android-and-laptop-microphones-reports-wsj"> the FBI can remotely activate the GPS and microphone in Android phones andlaptops</a>. (I suspect this meanslaptops</a> (presumably Windowslaptops.)laptops). Here is <a href="http://cryptome.org/2013/08/fbi-hackers.htm">more info</a>.</p> </li><li><p>Portable phones with GPS will send their GPS location on remote command and users cannot stop them: <a href="http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers"> http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers</a>. (The US says it will eventually require all new portable phones to have GPS.)</p> </li> <li><p>The nonfree Snapchat app's principal purpose<li id="M201307280"> <p>Spyware isto restrict thepresent in some Android devices when they are sold. Some Motorola phones, made when this company was owned by Google, use a modified version of Android that <a href="http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html"> sends personal dataonto Motorola</a>.</p> </li> <li id="M201307250"> <p>A Motorola phone <a href="https://web.archive.org/web/20170629175629/http://www.itproportal.com/2013/07/25/motorolas-new-x8-arm-chip-underpinning-the-always-on-future-of-android/"> listens for voice all theuser's computer, but it does surveillance too:time</a>.</p> </li> <li id="M201302150"> <p>Google Play intentionally sends app developers <ahref="http://www.theguardian.com/media/2013/dec/27/snapchat-may-be-exposed-hackers"> it tries to gethref="http://gadgets.ndtv.com/apps/news/google-play-store-policy-raises-privacy-concerns-331116"> theuser's listpersonal details ofother people's phone numbers.</a></p>users that install the app</a>.</p> <p>Merely asking the “consent” of users is not enough to legitimize actions like this. At this point, most users have stopped reading the “Terms and Conditions” that spell out what they are “consenting” to. Google should clearly and honestly identify the information it collects on users, instead of hiding it in an obscurely worded EULA.</p> <p>However, to truly protect people's privacy, we must prevent Google and other companies from getting this personal information in the first place!</p> </li> <li id="M201111170"> <p>Some manufacturers add a <a href="http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/"> hidden general surveillance package such as Carrier IQ</a>.</p> </li> </ul> <div class="big-subsection"> <h4id="SpywareInMobileApps">Spyware in Mobile Applications</h4>id="SpywareInElectronicReaders">E-Readers</h4> <span class="anchor-reference-id">(<ahref="#SpywareInMobileApps">#SpywareInMobileApps</a>)</span>href="#SpywareInElectronicReaders">#SpywareInElectronicReaders</a>)</span> </div><ul> <li><p>The Uber app tracks <a href="https://techcrunch.com/2016/11/28/uber-background-location-data-collection/">clients' movements before<ul class="blurbs"> <li id="M201603080"> <p>E-books can contain JavaScript code, andafter the ride</a>.</p> <p>This example illustrates how “getting the user's consent” for surveillance is inadequate as a protection against massive surveillance.</p> </li> <li><p>Google's new voice messaging app <a href="http://www.theverge.com/2016/9/21/12994362/allo-privacy-message-logs-google">logs all conversations</a>.</p> </li> <li><p>Apps that include<ahref="http://techaeris.com/2016/01/13/symphony-advanced-media-software-tracks-your-digital-life-through-your-smartphone-mic/"> Symphony surveillance software snoop on what radio and TV programs are playing nearby</a>. Also on what users posthref="http://www.theguardian.com/books/2016/mar/08/men-make-up-their-minds-about-books-faster-than-women-study-finds"> sometimes this code snoops onvarious sites such as Facebook, Google+ and Twitter.</p>readers</a>.</p> </li><li><p>Facebook's new Magic Photo app<li id="M201410080"> <p>Adobe made “Digital Editions,” the e-reader used by most US libraries, <ahref="https://web.archive.org/web/20160605165148/http://www.theregister.co.uk/2015/11/10/facebook_scans_camera_for_your_friends/"> scans your mobile phone's photo collections for known faces</a>, and suggests youhref="https://web.archive.org/web/20141220181015/http://www.computerworlduk.com/blogs/open-enterprise/drm-strikes-again-3575860/"> send lots of data toshare the picture you take accordingAdobe</a>. Adobe's “excuse”: it's needed towho ischeck DRM!</p> </li> <li id="M201212030"> <p>Spyware in many e-readers—not only theframe.</p> <p>This spyware feature seems to require online access to some known-faces database, which means the pictures are likely to be sent across the wire to Facebook's servers and face-recognition algorithms.</p> <p>If so, none of Facebook users' pictures are private anymore,Kindle: <a href="https://www.eff.org/pages/reader-privacy-chart-2012"> they report evenifwhich page the userdidn't “upload” them to the service.</p>reads at what time</a>.</p> </li><li><p>Like most “music screaming” disservices, Spotify is based on proprietary malware (DRM</ul> <div class="big-section"> <h3 id="SpywareInApplications">Spyware in Applications</h3> <span class="anchor-reference-id">(<a href="#SpywareInApplications">#SpywareInApplications</a>)</span> </div> <div style="clear: left;"></div> <div class="big-subsection"> <h4 id="SpywareInDesktopApps">Desktop Apps</h4> <span class="anchor-reference-id">(<a href="#SpywareInDesktopApps">#SpywareInDesktopApps</a>)</span> </div> <ul class="blurbs"> <li id="M201912190"> <p>Some Avast andsnooping). In August 2015 it <a href="http://www.theguardian.com/technology/2015/aug/21/spotify-faces-user-backlash-over-new-privacy-policy"> demanded users submitAVG extensions for Firefox and Chrome were found toincreased snooping</a>,<a href="https://www.itpro.co.uk/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome"> snoop on users' detailed browsing habits</a>. Mozilla andsomeGoogle removed the problematic extensions from their stores, but this shows once more how unsafe nonfree software can be. Tools that arestartingsupposed torealize thatprotect a proprietary system are, instead, infecting itis nasty.</p> <p>This article showswith additional malware (the system itself being the original malware).</p> </li> <li id="M201811020"> <p>Foundry's graphics software <ahref="https://web.archive.org/web/20160313214751/http://www.theregister.co.uk/2015/08/21/spotify_worse_than_the_nsa/"> twisted ways that they present snooping as a wayhref="https://torrentfreak.com/software-company-fines-pirates-after-monitoring-their-computers-181102/"> reports information to“serve” users better</a>—never mind whether they want that. Thisidentify who is running it</a>. The result is often atypical examplelegal threat demanding a lot of money.</p> <p>The fact that this is used for repression of forbidden sharing makes it even more vicious.</p> <p>This illustrates that making unauthorized copies of nonfree software is not a cure for theattitudeinjustice of nonfree software. It may avoid paying for theproprietary software industry towards those they have subjugated.</p> <p>Out, out, damned Spotify!</p>nasty thing, but cannot make it less nasty.</p> </li><li><p>Many proprietary apps for mobile devices report which other apps</ul> <div class="big-subsection"> <h4 id="SpywareInMobileApps">Mobile Apps</h4> <span class="anchor-reference-id">(<a href="#SpywareInMobileApps">#SpywareInMobileApps</a>)</span> </div> <ul class="blurbs"> <li id="M202003010"> <p>The Alipay Health Code app estimates whether the user hasinstalled. <a href="http://techcrunch.com/2014/11/26/twitter-app-graph/">Twitter is doing this in a way that at least is visibleCovid-19 andoptional</a>. Not as bad as what<a href="https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html"> tells theothers do.</p>cops directly</a>.</p> </li><li><p>FTC says most mobile apps for children don't respect privacy:<li id="M202001290"> <p>The Amazon Ring app does <ahref="http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/"> http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/</a>.</p>href="https://www.theguardian.com/technology/2020/jan/29/ring-smart-doorbell-company-surveillance-eff-report"> surveillance for other companies as well as for Amazon</a>.</p> </li><li><p>Widely used<li id="M201912220"> <p>The ToToc messaging app seems to be a <ahref="https://freedom-to-tinker.com/blog/kollarssmith/scan-this-or-scan-me-user-privacy-barcode-scanning-applications/">proprietary QR-code scanner apps snoop onhref="https://www.nytimes.com/2019/12/22/us/politics/totok-app-uae.html"> spying tool for theuser</a>. Thisgovernment of the United Arab Emirates</a>. Any nonfree program could be doing this, and that isin additiona good reason to use free software instead.</p> <p><small>Note: this article uses thesnooping done by the phone company, and perhaps by the OSword “free” in thephone.</p> <p>Don't be distracted by the questionsense ofwhether“gratis.”</small></p> </li> <li id="M201912090"> <p>iMonsters and Android phones, when used for work, give employers powerful <a href="https://www.fastcompany.com/90440073/if-you-use-your-personal-phone-for-work-say-goodbye-to-your-privacy"> snooping and sabotage capabilities</a> if they install their own software on theapp developers get usersdevice. Many employers demand tosay “I agree”. Thatdo this. For the employee, this isno excuse for malware.</p>simply nonfree software, as fundamentally unjust and as dangerous as any other nonfree software.</p> </li><li><p>The Brightest Flashlight app <a href="http://www.theguardian.com/technology/2013/dec/06/android-app-50m-downloads-sent-data-advertisers"> sends user data, including geolocation, for use by companies.</a></p><li id="M201910130"> <p>TheFTC criticized thisChinese Communist Party's “Study the Great Nation” appbecauserequires users to grant itasked<a href="https://www.ndtv.com/world-news/chinese-app-allows-officials-access-to-100-million-users-phone-report-2115962"> access to theuserphone's microphone, photos, text messages, contacts, and internet history</a>, and the Android version was found toapprove sending personal datacontain a back-door allowing developers to run any code they wish in the users' phone, as “superusers.” Downloading and using this appdeveloperis mandatory at some workplaces.</p> <p>Note: The <a href="http://web-old.archive.org/web/20191015005153/https://www.washingtonpost.com/world/asia_pacific/chinese-app-on-xis-ideology-allows-data-access-to-100-million-users-phones-report-says/2019/10/11/2d53bbae-eb4d-11e9-bafb-da248f8d5734_story.html"> Washington Post version of the article</a> (partly obfuscated, butdid not ask about sending it to other companies. This showsreadable after copy-pasting in a text editor) includes a clarification saying that theweaknesstests were only performed on the Android version of thereject-it-if-you-dislike-snooping “solution” to surveillance: why should a flashlight app send any informationapp, and that, according toanyone? A free software flashlight app would not.</p>Apple, “this kind of ‘superuser’ surveillance could not be conducted on Apple's operating system.”</p> </li></ul> <div class="big-subsection"> <h4 id="SpywareInGames">Spyware in Games</h4> <span class="anchor-reference-id">(<a href="#SpywareInGames">#SpywareInGames</a>)</span> </div> <ul> <li><p>nVidia's proprietary GeForce Experience<li id="M201909091"> <p>The Facebook app <ahref="http://www.gamersnexus.net/industry/2672-geforce-experience-data-transfer-analysis">makeshref="https://eu.usatoday.com/story/tech/talkingtech/2019/09/09/facebook-app-social-network-tracking-your-every-move/2270305001/"> tracks usersidentify themselves and then sends personal data abouteven when it is turned off</a>, after tricking them into giving the app broad permissions in order tonVidia servers</a>.</p>use one of its functionalities.</p> </li><li><p>Angry Birds <a href="http://www.nytimes.com/2014/01/28/world/spy-agencies-scour-phone-apps-for-personal-data.html"> spies for companies,<li id="M201909090"> <p>Some nonfree period-tracking apps including MIA Fem andthe NSA takes advantage to spy through it too</a>. Here's information onMaya <ahref="http://confabulator.blogspot.com/2012/11/analysis-of-what-information-angry.html"> more spyware apps</a>.</p> <p><a href="http://www.propublica.org/article/spy-agencies-probe-angry-birds-and-other-apps-for-personal-data"> More about NSA app spying</a>.</p>href="https://www.buzzfeednews.com/article/meghara/period-tracker-apps-facebook-maya-mia-fem"> send intimate details of users' lives to Facebook</a>.</p> </li></ul> <div class="big-subsection"> <h4 id="SpywareInToys">Spyware in Toys</h4> <span class="anchor-reference-id">(<a href="#SpywareInToys">#SpywareInToys</a>)</span> </div> <ul> <li><p>A company that makes internet-controlled vibrators <a href="https://www.theguardian.com/us-news/2016/sep/14/wevibe-sex-toy-data-collection-chicago-lawsuit">is being sued<li id="M201909060"> <p>Keeping track of who downloads a proprietary program is a form of surveillance. There is a proprietary program forcollecting lotsadjusting a certain telescopic rifle sight. <a href="https://www.forbes.com/sites/thomasbrewster/2019/09/06/exclusive-feds-demand-apple-and-google-hand-over-names-of-10000-users-of-a-gun-scope-app/"> A US prosecutor has demanded the list ofpersonal information about howall the 10,000 or more peopleusewho have installed it</a>.</p><p>The company's statement that it anonymizes the data may<p>With a free program there would not betrue, but it doesn't really matter. If it sellsa list of who has installed it.</p> </li> <li id="M201907081"> <p>Many unscrupulous mobile-app developers keep finding ways to <a href="https://www.cnet.com/news/more-than-1000-android-apps-harvest-your-data-even-after-you-deny-permissions/"> bypass user's settings</a>, regulations, and privacy-enhancing features of thedataoperating system, in order toagather as much private databroker,as they possibly can.</p> <p>Thus, we can't trust rules against spying. What we can trust is having control over thedata brokersoftware we run.</p> </li> <li id="M201907080"> <p>Many Android apps canfigure out whotrack users' movements even when the useris.</p>says <a href="https://www.theverge.com/2019/7/8/20686514/android-covert-channel-permissions-data-collection-imei-ssid-location"> not to allow them access to locations</a>.</p> <p>This involves an apparently unintentional weakness in Android, exploited intentionally by malicious apps.</p> </li><li><p>A computerized vibrator<li id="M201905300"> <p>The Femm “fertility” app is secretly a <ahref="https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack">snoopshref="https://www.theguardian.com/world/2019/may/30/revealed-womens-fertility-app-is-funded-by-anti-abortion-campaigners"> tool for propaganda</a> by natalist Christians. It spreads distrust for contraception.</p> <p>It snoops onits users through theusers, too, as you must expect from nonfree programs.</p> </li> <li id="M201905060"> <p>BlizzCon 2019 imposed a <a href="https://arstechnica.com/gaming/2019/05/blizzcon-2019-tickets-revolve-around-invasive-poorly-reviewed-smartphone-app/"> requirement to run a proprietarycontrol app</a>.</p> <p>The app reportsphone app</a> to be allowed into thetemperatureevent.</p> <p>This app is a spyware that can snoop on a lot of sensitive data, including user's location and contact list, and has <a href="https://old.reddit.com/r/wow/comments/bkd5ew/you_need_to_have_a_phone_to_attend_blizzcon_this/emg38xv/"> near-complete control</a> over thevibrator minutephone.</p> </li> <li id="M201904131"> <p>Data collected byminute (thus, indirectly, whether itmenstrual and pregnancy monitoring apps issurrounded by a person's body),often <a href="https://www.theguardian.com/world/2019/apr/13/theres-a-dark-side-to-womens-health-apps-menstrual-surveillance"> available to employers and insurance companies</a>. Even though thevibration frequency.</p> <p>Notedata is “anonymized and aggregated,” it can easily be traced back to thetotally inadequate proposed response: a labeling standard with which manufacturers would make statements about their products, rather than free software which users can check and change.</p> </li> <li><p>Barbie <a href="http://www.mirror.co.uk/news/technology-science/technology/wi-fi-spy-barbie-records-childrens-5177673">is goingwoman who uses the app.</p> <p>This has harmful implications for women's rights tospy on childrenequal employment andadults.</a>.</p> </li> </ul> <!-- #SpywareAtLowLevel --> <!-- WEBMASTERS:freedom to makesuretheir own pregnancy choices. Don't use these apps, even if someone offers you a reward toplace new itemsdo so. A free-software app that does more or less the same thing without spying ontop under each subsection --> <div class="big-section"> <h3 id="SpywareAtLowLevel">Spyware at Low Level</h3> <span class="anchor-reference-id">(<a href="#SpywareAtLowLevel">#SpywareAtLowLevel</a>)</span> </div> <div style="clear: left;"></div> <div class="big-subsection"> <h4 id="SpywareInBIOS">Spyware in BIOS</h4> <span class="anchor-reference-id">(<a href="#SpywareInBIOS">#SpywareInBIOS</a>)</span> </div> <ul> <li><p>you is available from <ahref="http://www.computerworld.com/article/2984889/windows-pcs/lenovo-collects-usage-data-on-thinkpad-thinkcentre-and-thinkstation-pcs.html"> Lenovo stealthily installed crapwarehref="https://search.f-droid.org/?q=menstr">F-Droid</a>, andspyware via BIOS</a> on Windows installs. Note that the specific sabotage method Lenovo used did not affect GNU/Linux; also,<a href="https://www.bloomberg.com/news/audio/2019-04-10/building-a-better-period-tracking-app-podcast"> a“clean” Windows installnew one isnot really clean sincebeing developed</a>.</p> </li> <li id="M201904130"> <p>Google tracks the movements of Android phones and iPhones running Google apps, and sometimes <ahref="/proprietary/malware-microsoft.html">Microsoft putshref="https://www.nytimes.com/interactive/2019/04/13/us/google-location-tracking-police.html"> saves the data for years</a>.</p> <p>Nonfree software inits own malware</a>. </p></li> </ul> <!-- #SpywareAtWork --> <!-- WEBMASTERS: make surethe phone has toplace new items on top under each subsection --> <div class="big-section"> <h3 id="SpywareAtWork">Spyware at Work</h3> <span class="anchor-reference-id">(<a href="#SpywareAtWork">#SpywareAtWork</a>)</span> </div> <div style="clear: left;"></div> <ul> <li><p>Investigation Shows <a href="https://www.techdirt.com/articles/20160602/17210734610/investigation-shows-gchq-using-us-companies-nsa-to-route-around-domestic-surveillance-restrictions.shtml">GCHQ Using US Companies, NSA To Route Around Domestic Surveillance Restrictions</a>.</p> <p>Specifically, it can collectbe responsible for sending theemails of memberslocation data to Google.</p> </li> <li id="M201903251"> <p>Many Android phones come with a huge number ofParliament this way, because they<a href="https://elpais.com/elpais/2019/03/22/inenglish/1553244778_819882.html"> preinstalled nonfree apps that have access to sensitive data without users' knowledge</a>. These hidden apps may either call home with the data, or pass itthrough Microsoft.</p></li> <li><p>Spywareon to user-installed apps that have access to the network but no direct access to the data. This results inCisco TNP IP phones: <a href="http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html"> http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html</a></p>massive surveillance on which the user has absolutely no control.</p> </li></ul> <div class="big-subsection"> <h4 id="SpywareInSkype">Spyware in Skype</h4> <span class="anchor-reference-id">(<a href="#SpywareInSkype">#SpywareInSkype</a>)</span> </div> <ul> <li><p>Spyware in Skype: <a href="http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/"> http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/</a>. Microsoft changed Skype<li id="M201903201"> <p>A study of 24 “health” apps found that 19 of them <ahref="http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data"> specifically for spying</a>.</p> </li> </ul> <!-- #SpywareOnTheRoad --> <!-- WEBMASTERS: make surehref="https://motherboard.vice.com/en_us/article/pan9e8/health-apps-can-share-your-data-everywhere-new-study-shows"> send sensitive personal data toplace new items on top under each subsection --> <div class="big-section"> <h3 id="SpywareOnTheRoad">Spyware on The Road</h3> <span class="anchor-reference-id">(<a href="#SpywareOnTheRoad">#SpywareOnTheRoad</a>)</span> </div> <div style="clear: left;"></div> <div class="big-subsection"> <h4 id="SpywareInCameras">Spywarethird parties</a>, which can use it for invasive advertising or discriminating against people inCameras</h4> <span class="anchor-reference-id">(<a href="#SpywareInCameras">#SpywareInCameras</a>)</span> </div> <ul> <li> <p>The Nest Cam “smart” camerapoor medical condition.</p> <p>Whenever user “consent” is<a href="http://www.bbc.com/news/technology-34922712">always watching</a>, even when the “owner” switchessought, it“off.”</p> <p>A “smart” device means the manufacturerisusing itburied in lengthy terms of service that are difficult tooutsmart you.</p>understand. In any case, “consent” is not sufficient to legitimize snooping.</p> </li></ul> <div class="big-subsection"> <h4 id="SpywareInElectronicReaders">Spyware in e-Readers</h4> <span class="anchor-reference-id">(<a href="#SpywareInElectronicReaders">#SpywareInElectronicReaders</a>)</span> </div> <ul> <li><p>E-books can contain Javascript code, and<li id="M201902230"> <p>Facebook offered a convenient proprietary library for building mobile apps, which also <ahref="http://www.theguardian.com/books/2016/mar/08/men-make-up-their-minds-about-books-faster-than-women-study-finds">sometimes this code snoops on readers</a>.</p> </li> <li><p>Spyware in many e-readers—not onlyhref="https://boingboing.net/2019/02/23/surveillance-zucksterism.html"> sent personal data to Facebook</a>. Lots of companies built apps that way and released them, apparently not realizing that all theKindle: <a href="https://www.eff.org/pages/reader-privacy-chart-2012">personal data theyreportcollected would go to Facebook as well.</p> <p>It shows that no one can trust a nonfree program, not evenwhich pagetheuser reads at what time</a>.</p>developers of other nonfree programs.</p> </li><li><p>Adobe made “Digital Editions,” the e-reader used by most US libraries,<li id="M201902140"> <p>The AppCensus database gives information on <ahref="http://www.computerworlduk.com/blogs/open-enterprise/drm-strikes-again-3575860/"> send lotshref="https://www.appcensus.mobi"> how Android apps use and misuse users' personal data</a>. As ofdataMarch 2019, nearly 78,000 have been analyzed, of which 24,000 (31%) transmit the <a href="/proprietary/proprietary-surveillance.html#M201812290"> Advertising ID</a> toAdobe</a>. Adobe's “excuse”: it's neededother companies, and <a href="https://blog.appcensus.mobi/2019/02/14/ad-ids-behaving-badly/"> 18,000 (23% of the total) link this ID tocheck DRM!</p> </li> </ul> <div class="big-subsection"> <h4 id="SpywareInVehicles">Spywarehardware identifiers</a>, so that users cannot escape tracking by resetting it.</p> <p>Collecting hardware identifiers is inVehicles</h4> <span class="anchor-reference-id">(<a href="#SpywareInVehicles">#SpywareInVehicles</a>)</span> </div> <ul> <li><p>Computerized cars with nonfree software are <a href="http://www.bloomberg.com/news/articles/2016-07-12/your-car-s-been-studying-you-closely-and-everyone-wants-the-data"> snooping devices</a>.</p>apparent violation of Google's policies. But it seems that Google wasn't aware of it, and, once informed, was in no hurry to take action. This proves that the policies of a development platform are ineffective at preventing nonfree software developers from including malware in their programs.</p> </li><li><p>The Nissan Leaf has<li id="M201902060"> <p>Many nonfree apps have abuilt-in cell phone modem which allows effectively anyonesurveillance feature for <ahref="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/">to access its computers remotelyhref="https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/"> recording all the users' actions</a> in interacting with the app.</p> </li> <li id="M201902041.1"> <p>Twenty nine “beauty camera” apps that used to be on Google Play had one or more malicious functionalities, such as <a href="http://web-old.archive.org/web/20190917162150/https://www.teleanalysis.com/news/national/these-29-beauty-camera-apps-steal-private-photo-29923"> stealing users' photos</a> instead of “beautifying” them, pushing unwanted and often malicious ads on users, and redirecting them to phishing sites that stole their credentials. Furthermore, the user interface of most of them was designed to makechangesuninstallation difficult.</p> <p>Users should of course uninstall these dangerous apps if they haven't yet, but they should also stay away from nonfree apps invarious settings</a>.</p> <p>That's easy to dogeneral. <em>All</em> nonfree apps carry a potential risk becausethe system hasthere is noauthentication when accessed througheasy way of knowing what they really do.</p> </li> <li id="M201902010"> <p>An investigation of themodem. However, even if it asked150 most popular gratis VPN apps in Google Play found that <a href="https://www.top10vpn.com/free-vpn-android-app-risk-index/"> 25% fail to protect their users’ privacy</a> due to DNS leaks. In addition, 85% feature intrusive permissions or functions in their source code—often used forauthentication, you couldn'tinvasive advertising—that could potentially also beconfidentused to spy on users. Other technical flaws were found as well.</p> <p>Moreover, a previous investigation had found thatNissan has no access. The software in<a href="https://www.top10vpn.com/free-vpn-app-investigation/">half of thecartop 10 gratis VPN apps have lousy privacy policies</a>.</p> <p><small>(It isproprietary,unfortunate that these articles talk about “free apps.” These apps are gratis, but they are <em>not</em> <ahref="/philosophy/free-software-even-more-important.html">which means it demands blind faith from its users</a>.</p> <p>Even if no one connectshref="/philosophy/free-sw.html">free software</a>.)</small></p> </li> <li id="M201901050"> <p>The Weather Channel app <a href="https://www.theguardian.com/technology/2019/jan/04/weather-channel-app-lawsuit-location-data-selling"> stored users' locations to thecar remotely, the cell phone modem enables the phonecompany's server</a>. The companyto track the car's movements all the time; itispossible to physically removebeing sued, demanding that it notify thecell phone modem though.</p> </li> <li><p>Proprietary software in cars <a href="http://www.usatoday.com/story/money/cars/2013/03/24/car-spying-edr-data-privacy/1991751/">records information about drivers' movements</a>, which is made available to car manufacturers, insurance companies, and others.</p> <p>The caseusers oftoll-collection systems, mentioned in this article,what it will do with the data.</p> <p>We think that lawsuit isnot reallyabout amatter of proprietary surveillance. These systems are an intolerable invasion of privacy, and should be replacedside issue. What the company does withanonymous payment systems, buttheinvasion isn't done by malware.data is a secondary issue. Theother cases mentioned are done by proprietary malware in the car.</p></li> <li><p>Tesla cars allowprincipal wrong here is that the companyto extractgets that dataremotely and determine the car's locationatany time. (See <a href="http://www.teslamotors.com/sites/default/files/pdfs/tmi_privacy_statement_external_6-14-2013_v2.pdf"> Section 2, paragraphs ball.</p> <p><a href="https://motherboard.vice.com/en_us/article/gy77wy/stop-using-third-party-weather-apps"> Other weather apps</a>, including Accuweather andc.</a>). The company says it doesn't store this information, but ifWeatherBug, are tracking people's locations.</p> </li> <li id="M201812290"> <p>Around 40% of gratis Android apps <a href="https://privacyinternational.org/report/2647/how-apps-android-share-data-facebook-report"> report on thestate orders ituser's actions togetFacebook</a>.</p> <p>Often they send the machine's “advertising ID,” so that Facebook can correlate the dataand handitover,obtains from thestate can store it.</p> </li> </ul> <!-- #SpywareAtHome --> <!-- WEBMASTERS: make sure to place new items on top under each subsection --> <div class="big-section"> <h3 id="SpywareAtHome">Spyware at Home</h3> <span class="anchor-reference-id">(<a href="#SpywareAtHome">#SpywareAtHome</a>)</span> </div> <div style="clear: left;"></div> <ul> <li><p><a href="http://consumerman.com/Rent-to-own%20giant%20accused%20of%20spying%20on%20its%20customers.htm"> Rent-to-own computers were programmed to spy on their renters</a>.</p> </li> </ul> <div class="big-subsection"> <h4 id="SpywareInTVSets">Spywaresame machine via various apps. Some of them send Facebook detailed information about the user's activities inTV Sets</h4> <span class="anchor-reference-id">(<a href="#SpywareInTVSets">#SpywareInTVSets</a>)</span> </div> <p>Emo Phillips made a joke: The other day a woman came up to me and said, “Didn't I see you on television?” I said, “I don't know. You can't see outtheother way.” Evidentlyapp; others only say thatwas before Amazon “smart” TVs.</p> <ul> <li><p>More or less all “smart” TVs <a href=" http://www.myce.com/news/reseachers-all-smart-tvs-spy-on-you-sony-monitors-all-channel-switches-72851/">spy on their users</a>.</p> <p>The report was as of 2014,the user is using that app, butwe don't expect this has got better.</p> <p>This showsthatlaws requiring products to get users' formal consent before collecting personal data are totally inadequate. And what happens if a user declines consent? Probablyalone is often quite informative.</p> <p>This spying occurs regardless of whether theTV will say, “Without your consent to tracking,user has a Facebook account.</p> </li> <li id="M201810244"> <p>Some Android apps <a href="https://www.androidauthority.com/apps-uninstall-trackers-917539/amp/"> track theTV will not work.”</p> <p>Proper laws would sayphones of users thatTVshave deleted them</a>.</p> </li> <li id="M201808030"> <p>Some Google apps on Android <a href="https://www.theguardian.com/technology/2018/aug/13/google-location-tracking-android-iphone-mobile"> record the user's location even when users disable “location tracking”</a>.</p> <p>There arenot allowedother ways toreport whatturn off theuser watches — no exceptions!</p> </li> <li><p>Vizio goes a step further thanotherTV manufacturers in spying on their users: theirkinds of location tracking, but most users will be tricked by the misleading control.</p> </li> <li id="M201806110"> <p>The Spanish football streaming app <ahref="http://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you"> “smart” TVs analyze your viewing habits in detailhref="https://boingboing.net/2018/06/11/spanish-football-app-turns-use.html">tracks the user's movements andlinklistens through the microphone</a>.</p> <p>This makes themyour IP address</a> so that advertisers can track you across devices.</p> <p>It is possible to turn this off, but havingact as spies for licensing enforcement.</p> <p>We expect itenabled by defaultimplements DRM, too—that there isan injustice already.</p> </li> <li><p>Tivo's alliance with Viacom adds 2.3 million householdsno way to save a recording. But we can't be sure from the600 millions social media profilesarticle.</p> <p>If you learn to care much less about sports, you will benefit in many ways. This is one more.</p> </li> <li id="M201804160"> <p>More than <a href="https://www.theguardian.com/technology/2018/apr/16/child-apps-games-android-us-google-play-store-data-sharing-law-privacy">50% of thecompany already monitors. Tivo customers are unaware they're being watched5,855 Android apps studied byadvertisers. By combining TV viewingresearchers were found to snoop and collect informationwith online social media participation, Tivo can now <a href="http://www.reuters.com/article/viacom-tivo-idUSL1N12U1VV20151102">correlate TV advertisement with online purchases</a>, exposing all users to new combined surveillance by default.</p></li> <li><p>Some web and TV advertisements play inaudible soundsabout its users</a>. 40% of the apps were found tobe picked up by proprietary malware runninginsecurely snitch on its users. Furthermore, they could detect only some methods of snooping, in these proprietary apps whose source code they cannot look at. The otherdevicesapps might be snooping inrange so as to determineother ways.</p> <p>This is evidence thatthey are nearby. Once your Internet devices are paired with your TV, advertisers can correlate ads with Web activity,proprietary apps generally work against their users. To protect their privacy andotherfreedom, Android users need to get rid of the proprietary software—both proprietary Android by <ahref="http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/">cross-device tracking</a>.</p> </li> <li><p>Vizio “smart” TVs recognizehref="https://replicant.us">switching to Replicant</a>, and the proprietary apps by getting apps from the free software only <ahref="http://www.engadget.com/2015/07/24/vizio-ipo-inscape-acr/">track what people are watching</a>, even if it isn't a TV channel.</p> </li> <li><p>The Amazon “Smart” TVhref="https://f-droid.org/">F-Droid store</a> that <ahref="http://www.theguardian.com/technology/shortcuts/2014/nov/09/amazon-echo-smart-tv-watching-listening-surveillance">is watching and listening allhref="https://f-droid.org/wiki/page/Antifeatures"> prominently warns thetime</a>.</p>user if an app contains anti-features</a>.</p> </li><li><p>The Samsung “Smart” TV<li id="M201804020"> <p>Grindr collects information about <ahref="http://www.consumerreports.org/cro/news/2015/02/who-s-the-third-party-that-samsung-and-lg-smart-tvs-are-sharing-your-voice-data-with/index.htm">transmits users' voice onhref="https://www.commondreams.org/news/2018/04/02/egregious-breach-privacy-popular-app-grindr-supplies-third-parties-users-hiv-status"> which users are HIV-positive, then provides theinternetinformation toanother company, Nuance</a>. Nuance can save it and would thencompanies</a>.</p> <p>Grindr should not have so much information about its users. It could be designed so that users communicate such info togive it to the US or someeach othergovernment.</p> <p>Speech recognition isbut not tobe trusted unless it is done by free software in your own computer.</p>the server's database.</p> </li><li><p>Spyware in<li id="M201803050"> <p>The moviepass app and dis-service spy on users even more than users expected. It <ahref="http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html"> LG “smart” TVs</a> reports what the user watches,href="https://techcrunch.com/2018/03/05/moviepass-ceo-proudly-says-the-app-tracks-your-location-before-and-after-movies/">records where they travel before andthe switchafter going toturn this off has no effect. (The fact that the transmission reportsa404 error really means nothing; the server could save that data anyway.)</p> <p>Even worse, itmovie</a>.</p> <p>Don't be tracked—pay cash!</p> </li> <li id="M201711240"> <p>Tracking software in popular Android apps is pervasive and sometimes very clever. Some trackers can <ahref="http://rambles.renney.me/2013/11/lg-tv-logging-filenames-from-network-folders/"> snoops on other devices on thehref="https://theintercept.com/2017/11/24/staggering-variety-of-clandestine-trackers-found-in-popular-android-apps/"> follow a user'slocal network.</a></p> <p>LG later said it had installedmovements around apatch to stop this, but any product could spy this way.</p> <p>Meanwhile, LG TVs <a href="http://www.techdirt.com/articles/20140511/17430627199/lg-will-take-smart-out-your-smart-tv-if-you-dont-agree-to-share-your-viewing-search-data-with-third-parties.shtml"> do lots of spying anyway</a>.</p> </li> <li> <p><a href="http://arstechnica.com/business/2015/05/verizon-fios-reps-know-what-tv-channels-you-watch/">Verizon cable TV snoops on what programs people watch, and even what they wanted to record.</a></p>physical store by noticing WiFi networks</a>.</p> </li></ul> <!-- #SpywareAtPlay --> <div class="big-section"> <h3 id="SpywareAtPlay">Spyware at Play</h3> <span class="anchor-reference-id">(<a href="#SpywareAtPlay">#SpywareAtPlay</a>)</span> </div> <div style="clear: left;"></div> <ul> <li><p>Many<li id="M201708270"> <p>The Sarahah app <ahref="http://www.thestar.com/news/canada/2015/12/29/how-much-data-are-video-games-collecting-about-you.html/"> video game consoles snoop on their usershref="https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/"> uploads all phone numbers andreportemail addresses</a> in user's address book to developer's server.</p> <p><small>(Note that this article misuses theinternet</a>— even what their users weigh.</p> <p>A game console is a computer, and you can't trust a computer with a nonfree operating system.</p>words “<a href="/philosophy/free-sw.html">free software</a>” referring to zero price.)</small></p> </li><li><p>Modern gratis game cr…apps<li id="M201707270"> <p>20 dishonest Android apps recorded <ahref="http://toucharcade.com/2015/09/16/we-own-you-confessions-of-a-free-to-play-producer/"> collect a wide range of data about their usershref="https://arstechnica.com/information-technology/2017/07/stealthy-google-play-apps-recorded-calls-and-stole-e-mails-and-texts">phone calls andtheir users' friendssent them andassociates</a>.</p> <p>Even nastier, they do it through ad networks that merge the data collected by various cr…appstext messages andsites made by different companies.</p> <p>They use this dataemails tomanipulate peoplesnoopers</a>.</p> <p>Google did not intend tobuy things,make these apps spy; on the contrary, it worked in various ways to prevent that, andhuntdeleted these apps after discovering what they did. So we cannot blame Google specifically for“whales” who can be led to spend a lotthe snooping ofmoney. Theythese apps.</p> <p>On the other hand, Google redistributes nonfree Android apps, and therefore shares in the responsibility for the injustice of their being nonfree. It alsouse a back door todistributes its own nonfree apps, such as Google Play, <a href="/philosophy/free-software-even-more-important.html">which are malicious</a>.</p> <p>Could Google have done a better job of preventing apps from cheating? There is no systematic way for Google, or Android users, to inspect executable proprietary apps to see what they do.</p> <p>Google could demand the source code for these apps, and study the source code somehow to determine whether they mistreat users in various ways. If it did a good job of this, it could more or less prevent such snooping, except when the app developers are clever enough to outsmart the checking.</p> <p>But since Google itself develops malicious apps, we cannot trust Google to protect us. We must demand release of source code to the public, so we can depend on each other.</p> </li> <li id="M201705230"> <p>Apps for BART <a href="https://web.archive.org/web/20171124190046/https://consumerist.com/2017/05/23/passengers-say-commuter-rail-app-illegally-collects-personal-user-data/"> snoop on users</a>.</p> <p>With free software apps, users could <em>make sure</em> that they don't snoop.</p> <p>With proprietary apps, one can only hope that they don't.</p> </li> <li id="M201705040"> <p>A study found 234 Android apps that track users by <a href="https://www.bleepingcomputer.com/news/security/234-android-applications-are-currently-using-ultrasonic-beacons-to-track-users/">listening to ultrasound from beacons placed in stores or played by TV programs</a>.</p> </li> <li id="M201704260"> <p>Faceapp appears to do lots of surveillance, judging by <a href="https://web.archive.org/web/20170426191242/https://www.washingtonpost.com/news/the-intersect/wp/2017/04/26/everything-thats-wrong-with-faceapp-the-latest-creepy-photo-app-for-your-face/"> how much access it demands to personal data in the device</a>.</p> </li> <li id="M201704190"> <p>Users are suing Bose for <a href="https://web.archive.org/web/20170423010030/https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/"> distributing a spyware app for its headphones</a>. Specifically, the app would record the names of the audio files users listen to along with the headphone's unique serial number.</p> <p>The suit accuses that this was done without the users' consent. If the fine print of the app said that users gave consent for this, would that make it acceptable? No way! It should be flat out <a href="/philosophy/surveillance-vs-democracy.html"> illegal to design the app to snoop at all</a>.</p> </li> <li id="M201704074"> <p>Pairs of Android apps can collude to transmit users' personal data to servers. <a href="https://www.theatlantic.com/technology/archive/2017/04/when-apps-collude-to-steal-your-data/522177/">A study found tens of thousands of pairs that collude</a>.</p> </li> <li id="M201703300"> <p>Verizon <a href="https://yro.slashdot.org/story/17/03/30/0112259/verizon-to-force-appflash-spyware-on-android-phones"> announced an opt-in proprietary search app that it will</a> pre-install on some of its phones. The app will give Verizon the same information about the users' searches that Google normally gets when they use its search engine.</p> <p>Currently, the app is <a href="https://www.eff.org/deeplinks/2017/04/update-verizons-appflash-pre-installed-spyware-still-spyware"> being pre-installed on only one phone</a>, and the user must explicitly opt-in before the app takes effect. However, the app remains spyware—an “optional” piece of spyware is still spyware.</p> </li> <li id="M201701210"> <p>The Meitu photo-editing app <a href="https://theintercept.com/2017/01/21/popular-selfie-app-sending-user-data-to-china-researchers-say/">sends user data to a Chinese company</a>.</p> </li> <li id="M201611280"> <p>The Uber app tracks <a href="https://techcrunch.com/2016/11/28/uber-background-location-data-collection/">clients' movements before and after the ride</a>.</p> <p>This example illustrates how “getting the user's consent” for surveillance is inadequate as a protection against massive surveillance.</p> </li> <li id="M201611160"> <p>A <a href="https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf"> research paper</a> that investigated the privacy and security of 283 Android VPN apps concluded that “in spite of the promises for privacy, security, and anonymity given by the majority of VPN apps—millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps.”</p> <p>Following is a non-exhaustive list, taken from the research paper, of some proprietary VPN apps that track users and infringe their privacy:</p> <dl class="compact"> <dt>SurfEasy</dt> <dd>Includes tracking libraries such as NativeX and Appflood, meant to track users and show them targeted ads.</dd> <dt>sFly Network Booster</dt> <dd>Requests the <code>READ_SMS</code> and <code>SEND_SMS</code> permissions upon installation, meaning it has full access to users' text messages.</dd> <dt>DroidVPN and TigerVPN</dt> <dd>Requests the <code>READ_LOGS</code> permission to read logs for other apps and also core system logs. TigerVPN developers have confirmed this.</dd> <dt>HideMyAss</dt> <dd>Sends traffic to LinkedIn. Also, it stores detailed logs and may turn them over to the UK government if requested.</dd> <dt>VPN Services HotspotShield</dt> <dd>Injects JavaScript code into the HTML pages returned to the users. The stated purpose of the JS injection is to display ads. Uses roughly five tracking libraries. Also, it redirects the user's traffic through valueclick.com (an advertising website).</dd> <dt>WiFi Protector VPN</dt> <dd>Injects JavaScript code into HTML pages, and also uses roughly five tracking libraries. Developers of this app have confirmed that the non-premium version of the app does JavaScript injection for tracking the user and displaying ads.</dd> </dl> </li> <li id="M201609210"> <p>Google's new voice messaging app <a href="http://www.theverge.com/2016/9/21/12994362/allo-privacy-message-logs-google">logs all conversations</a>.</p> </li> <li id="M201606050"> <p>Facebook's new Magic Photo app <a href="https://www.theregister.co.uk/2015/11/10/facebook_scans_camera_for_your_friends/"> scans your mobile phone's photo collections for known faces</a>, and suggests you to share the picture you take according to who is in the frame.</p> <p>This spyware feature seems to require online access to some known-faces database, which means the pictures are likely to be sent across the wire to Facebook's servers and face-recognition algorithms.</p> <p>If so, none of Facebook users' pictures are private anymore, even if the user didn't “upload” them to the service.</p> </li> <li id="M201605310"> <p>Facebook's app listens all the time, <a href="http://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-using-people-s-phones-to-listen-in-on-what-they-re-saying-claims-professor-a7057526.html">to snoop on what people are listening to or watching</a>. In addition, it may be analyzing people's conversations to serve them with targeted advertisements.</p> </li> <li id="M201604250"> <p>A pregnancy test controller application not only can <a href="http://www.theverge.com/2016/4/25/11503718/first-response-pregnancy-pro-test-bluetooth-app-security"> spy on many sorts of data in the phone, and in server accounts, it can alter them too</a>.</p> </li> <li id="M201601130"> <p>Apps that include <a href="https://web.archive.org/web/20180913014551/http://techaeris.com/2016/01/13/symphony-advanced-media-software-tracks-your-digital-life-through-your-smartphone-mic/"> Symphony surveillance software snoop on what radio and TV programs are playing nearby</a>. Also on what users post on various sites such as Facebook, Google+ and Twitter.</p> </li> <li id="M201511190"> <p>“Cryptic communication,” unrelated to the app's functionality, was <a href="http://news.mit.edu/2015/data-transferred-android-apps-hiding-1119"> found in the 500 most popular gratis Android apps</a>.</p> <p>The article should not have described these apps as “free”—they are not free software. The clear way to say “zero price” is “gratis.”</p> <p>The article takes for granted that the usual analytics tools are legitimate, but is that valid? Software developers have no right to analyze what users are doing or how. “Analytics” tools that snoop are just as wrong as any other snooping.</p> </li> <li id="M201510300"> <p>More than 73% and 47% of mobile applications, for Android and iOS respectively <a href="https://techscience.org/a/2015103001/">share personal, behavioral and location information</a> of their users with third parties.</p> </li> <li id="M201508210"> <p>Like most “music screaming” disservices, Spotify is based on proprietary malware (DRM and snooping). In August 2015 it <a href="http://www.theguardian.com/technology/2015/aug/21/spotify-faces-user-backlash-over-new-privacy-policy"> demanded users submit to increased snooping</a>, and some are starting to realize that it is nasty.</p> <p>This article shows the <a href="https://www.theregister.co.uk/2015/08/21/spotify_worse_than_the_nsa/"> twisted ways that they present snooping as a way to “serve” users better</a>—never mind whether they want that. This is a typical example of the attitude of the proprietary software industry towards those they have subjugated.</p> <p>Out, out, damned Spotify!</p> </li> <li id="M201506264"> <p><a href="http://www.privmetrics.org/wp-content/uploads/2015/06/wisec2015.pdf">A study in 2015</a> found that 90% of the top-ranked gratis proprietary Android apps contained recognizable tracking libraries. For the paid proprietary apps, it was only 60%.</p> <p>The article confusingly describes gratis apps as “free”, but most of them are not in fact <a href="/philosophy/free-sw.html">free software</a>. It also uses the ugly word “monetize”. A good replacement for that word is “exploit”; nearly always that will fit perfectly.</p> </li> <li id="M201505060"> <p>Gratis Android apps (but not <a href="/philosophy/free-sw.html">free software</a>) connect to 100 <a href="http://www.theguardian.com/technology/2015/may/06/free-android-apps-connect-tracking-advertising-websites">tracking and advertising</a> URLs, on the average.</p> </li> <li id="M201504060"> <p>Widely used <a href="https://freedom-to-tinker.com/blog/kollarssmith/scan-this-or-scan-me-user-privacy-barcode-scanning-applications/">proprietary QR-code scanner apps snoop on the user</a>. This is in addition to the snooping done by the phone company, and perhaps by the OS in the phone.</p> <p>Don't be distracted by the question of whether the app developers get users to say “I agree”. That is no excuse for malware.</p> </li> <li id="M201411260"> <p>Many proprietary apps for mobile devices report which other apps the user has installed. <a href="http://techcrunch.com/2014/11/26/twitter-app-graph/">Twitter is doing this in a way that at least is visible and optional</a>. Not as bad as what the others do.</p> </li> <li id="M201401150.1"> <p>The Simeji keyboard is a smartphone version of Baidu's <a href="/proprietary/proprietary-surveillance.html#baidu-ime">spying <abbr title="Input Method Editor">IME</abbr></a>.</p> </li> <li id="M201312270"> <p>The nonfree Snapchat app's principal purpose is to restrict the use of data on the user's computer, but it does surveillance too: <a href="http://www.theguardian.com/media/2013/dec/27/snapchat-may-be-exposed-hackers"> it tries to get the user's list of other people's phone numbers</a>.</p> </li> <li id="M201312060"> <p>The Brightest Flashlight app <a href="http://www.theguardian.com/technology/2013/dec/06/android-app-50m-downloads-sent-data-advertisers"> sends user data, including geolocation, for use by companies</a>.</p> <p>The FTC criticized this app because it asked the user to approve sending personal data to the app developer but did not ask about sending it to other companies. This shows the weakness of the reject-it-if-you-dislike-snooping “solution” to surveillance: why should a flashlight app send any information to anyone? A free software flashlight app would not.</p> </li> <li id="M201212100"> <p>FTC says most mobile apps for children don't respect privacy: <a href="http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/"> http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/</a>.</p> </li> </ul> <div class="big-subsection"> <h4 id="SpywareInSkype">Skype</h4> <span class="anchor-reference-id">(<a href="#SpywareInSkype">#SpywareInSkype</a>)</span> </div> <ul class="blurbs"> <li id="M201908151"> <p>Skype refuses to say whether it can <a href="http://www.slate.com/blogs/future_tense/2012/07/20/skype_won_t_comment_on_whether_it_can_now_eavesdrop_on_conversations_.html">eavesdrop on calls</a>.</p> <p>That almost certainly means it can do so.</p> </li> <li id="M201307110"> <p>Skype contains <a href="https://web.archive.org/web/20130928235637/http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/">spyware</a>. Microsoft changed Skype <a href="http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data"> specifically for spying</a>.</p> </li> </ul> <div class="big-subsection"> <h4 id="SpywareInGames">Games</h4> <span class="anchor-reference-id">(<a href="#SpywareInGames">#SpywareInGames</a>)</span> </div> <ul class="blurbs"> <li id="M201908210"> <p>Microsoft recorded users of Xboxes and had <a href="https://www.vice.com/en_us/article/43kv4q/microsoft-human-contractors-listened-to-xbox-owners-homes-kinect-cortana"> human workers listen to the recordings</a>.</p> <p>Morally, we see no difference between having human workers listen and having speech-recognition systems listen. Both intrude on privacy.</p> </li> <li id="M201806240"> <p>Red Shell is a spyware that is found in many proprietary games. It <a href="https://nebulous.cloud/threads/red-shell-illegal-spyware-for-steam-games.31924/"> tracks data on users' computers and sends it to third parties</a>.</p> </li> <li id="M201804144"> <p>ArenaNet surreptitiously installed a spyware program along with an update to the massive multiplayer game Guild Wars 2. The spyware allowed ArenaNet <a href="https://techraptor.net/content/arenanet-used-spyware-anti-cheat-for-guild-wars-2-banwave"> to snoop on all open processes running on its user's computer</a>.</p> </li> <li id="M201711070"> <p>The driver for a certain gaming keyboard <a href="https://thehackernews.com/2017/11/mantistek-keyboard-keylogger.html">sends information to China</a>.</p> </li> <li id="M201512290"> <p>Many <a href="http://www.thestar.com/news/canada/2015/12/29/how-much-data-are-video-games-collecting-about-you.html/"> video game consoles snoop on their users and report to the internet</a>—even what their users weigh.</p> <p>A game console is a computer, and you can't trust a computer with a nonfree operating system.</p> </li> <li id="M201509160"> <p>Modern gratis game cr…apps <a href="http://toucharcade.com/2015/09/16/we-own-you-confessions-of-a-free-to-play-producer/"> collect a wide range of data about their users and their users' friends and associates</a>.</p> <p>Even nastier, they do it through ad networks that merge the data collected by various cr…apps and sites made by different companies.</p> <p>They use this data to manipulate people to buy things, and hunt for “whales” who can be led to spend a lot of money. They also use a back door to manipulate thegame playgame play for specific players.</p> <p>While the article describes gratis games, games that cost money can use the same tactics.</p> </li> <li id="M201401280"> <p>Angry Birds <a href="http://www.nytimes.com/2014/01/28/world/spy-agencies-scour-phone-apps-for-personal-data.html"> spies for companies, and the NSA takes advantage to spy through it too</a>. Here's information on <a href="http://confabulator.blogspot.com/2012/11/analysis-of-what-information-angry.html"> more spyware apps</a>.</p> <p><a href="http://www.propublica.org/article/spy-agencies-probe-angry-birds-and-other-apps-for-personal-data"> More about NSA app spying</a>.</p> </li> <li id="M200510200"> <p>Blizzard Warden is a hidden “cheating-prevention” program that <a href="https://www.eff.org/deeplinks/2005/10/new-gaming-feature-spyware"> spies on every process running on a gamer's computer and sniffs a good deal of personal data</a>, including lots of activities which have nothing to do with cheating.</p> </li> </ul> <div class="big-section"> <h3 id="SpywareInEquipment">Spyware in Connected Equipment</h3> <span class="anchor-reference-id">(<a href="#SpywareInEquipment">#SpywareInEquipment</a>)</span> </div> <div style="clear: left;"></div> <ul class="blurbs"> <li id="M201708280"> <p>The bad security in many Internet of Stings devices allows <a href="https://www.techdirt.com/articles/20170828/08152938092/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you.shtml">ISPs to snoop on the people that use them</a>.</p> <p>Don't be a sucker—reject all the stings.</p> <p><small>(It is unfortunate that the article uses the term <a href="/philosophy/words-to-avoid.html#Monetize">“monetize”</a>.)</small></p> </li> </ul> <div class="big-subsection"> <h4 id="SpywareInTVSets">TV Sets</h4> <span class="anchor-reference-id">(<a href="#SpywareInTVSets">#SpywareInTVSets</a>)</span> </div> <p>Emo Phillips made a joke: The other day a woman came up to me and said, “Didn't I see you on television?” I said, “I don't know. You can't see out the other way.” Evidently that was before Amazon “smart” TVs.</p> <ul class="blurbs"> <li id="M202006250"> <p>TV manufacturers are able to <a href="https://www.zdnet.com/article/fbi-warns-about-snoopy-smart-tvs-spying-on-you/">snoop every second of what the user is watching</a>. This is illegal due to the Video Privacy Protection Act of 1988, but they're circumventing it through EULAs.</p> </li> <li id="M201901070"> <p>Vizio TVs <a href="https://www.theverge.com/2019/1/7/18172397/airplay-2-homekit-vizio-tv-bill-baxter-interview-vergecast-ces-2019"> collect “whatever the TV sees,”</a> in the own words of the company's CTO, and this data is sold to third parties. This is in return for “better service” (meaning more intrusive ads?) and slightly lower retail prices.</p> <p>What is supposed to make this spying acceptable, according to him, is that it is opt-in in newer models. But since the Vizio software is nonfree, we don't know what is actually happening behind the scenes, and there is no guarantee that all future updates will leave the settings unchanged.</p> <p>If you already own a Vizio smart TV (or any smart TV, for that matter), the easiest way to make sure it isn't spying on you is to disconnect it from the Internet, and use a terrestrial antenna instead. Unfortunately, this is not always possible. Another option, if you are technically oriented, is to get your own router (which can be an old computer running completely free software), and set up a firewall to block connections to Vizio's servers. Or, as a last resort, you can replace your TV with another model.</p> </li> <li id="M201804010"> <p>Some “Smart” TVs automatically <a href="https://web.archive.org/web/20180405014828/https:/twitter.com/buro9/status/980349887006076928"> load downgrades that install a surveillance app</a>.</p> <p>We link to the article for the facts it presents. It is too bad that the article finishes by advocating the moral weakness of surrendering to Netflix. The Netflix app <a href="/proprietary/malware-google.html#netflix-app-geolocation-drm">is malware too</a>.</p> </li> <li id="M201702060"> <p>Vizio “smart” <a href="https://www.ftc.gov/news-events/blogs/business-blog/2017/02/what-vizio-was-doing-behind-tv-screen">TVs report everything that is viewed on them, and not just broadcasts and cable</a>. Even if the image is coming from the user's own computer, the TV reports what it is. The existence of a way to disable the surveillance, even if it were not hidden as it was in these TVs, does not legitimize the surveillance.</p> </li> <li id="M201511130"> <p>Some web and TV advertisements play inaudible sounds to be picked up by proprietary malware running on other devices in range so as to determine that they are nearby. Once your Internet devices are paired with your TV, advertisers can correlate ads with Web activity, and other <a href="http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/"> cross-device tracking</a>.</p> </li> <li id="M201511060"> <p>Vizio goes a step further than other TV manufacturers in spying on their users: their <a href="http://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you"> “smart” TVs analyze your viewing habits in detail and link them your IP address</a> so that advertisers can track you across devices.</p> <p>It is possible to turn this off, but having it enabled by default is an injustice already.</p> </li> <li id="M201511020"> <p>Tivo's alliance with Viacom adds 2.3 million households to the 600 millions social media profiles the company already monitors. Tivo customers are unaware they're being watched by advertisers. By combining TV viewing information with online social media participation, Tivo can now <a href="http://www.reuters.com/article/viacom-tivo-idUSL1N12U1VV20151102"> correlate TV advertisement with online purchases</a>, exposing all users to new combined surveillance by default.</p> </li> <li id="M201507240"> <p>Vizio “smart” TVs recognize and <a href="http://www.engadget.com/2015/07/24/vizio-ipo-inscape-acr/">track what people are watching</a>, even if it isn't a TV channel.</p> </li> <li id="M201505290"> <p>Verizon cable TV <a href="http://arstechnica.com/business/2015/05/verizon-fios-reps-know-what-tv-channels-you-watch/"> snoops on what programs people watch, and even what they wanted to record</a>.</p> </li> <li id="M201504300"> <p>Vizio <a href="http://boingboing.net/2015/04/30/telescreen-watch-vizio-adds-s.html"> used a firmware “upgrade” to make its TVs snoop on what users watch</a>. The TVs did not do that when first sold.</p> </li> <li id="M201502090"> <p>The Samsung “Smart” TV <a href="http://www.consumerreports.org/cro/news/2015/02/who-s-the-third-party-that-samsung-and-lg-smart-tvs-are-sharing-your-voice-data-with/index.htm"> transmits users' voice on the internet to another company, Nuance</a>. Nuance can save it and would then have to give it to the US or some other government.</p> <p>Speech recognition is not to be trusted unless it is done by free software in your own computer.</p> <p>In its privacy policy, Samsung explicitly confirms that <a href="http://theweek.com/speedreads/538379/samsung-warns-customers-not-discuss-personal-information-front-smart-tvs">voice data containing sensitive information will be transmitted to third parties</a>.</p> </li> <li id="M201411090"> <p>The Amazon “Smart” TV is <a href="http://www.theguardian.com/technology/shortcuts/2014/nov/09/amazon-echo-smart-tv-watching-listening-surveillance"> snooping all the time</a>.</p> </li> <li id="M201409290"> <p>More or less all “smart” TVs <a href="http://www.myce.com/news/reseachers-all-smart-tvs-spy-on-you-sony-monitors-all-channel-switches-72851/">spy on their users</a>.</p> <p>The report was as of 2014, but we don't expect this has got better.</p> <p>This shows that laws requiring products to get users' formal consent before collecting personal data are totally inadequate. And what happens if a user declines consent? Probably the TV will say, “Without your consent to tracking, the TV will not work.”</p> <p>Proper laws would say that TVs are not allowed to report what the user watches—no exceptions!</p> </li> <li id="M201405200"> <p>Spyware in LG “smart” TVs <a href="http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html"> reports what the user watches, and the switch to turn this off has no effect</a>. (The fact that the transmission reports a 404 error really means nothing; the server could save that data anyway.)</p> <p>Even worse, it <a href="http://rambles.renney.me/2013/11/lg-tv-logging-filenames-from-network-folders/"> snoops on other devices on the user's local network</a>.</p> <p>LG later said it had installed a patch to stop this, but any product could spy this way.</p> <p>Meanwhile, LG TVs <a href="http://www.techdirt.com/articles/20140511/17430627199/lg-will-take-smart-out-your-smart-tv-if-you-dont-agree-to-share-your-viewing-search-data-with-third-parties.shtml"> do lots of spying anyway</a>.</p> </li> <li id="M201212170"> <p id="break-security-smarttv"><a href="http://www.dailymail.co.uk/sciencetech/article-2249303/Hackers-penetrate-home-Crack-Samsungs-Smart-TV-allows-attacker-seize-control-microphone-cameras.html"> Crackers found a way to break security on a “smart” TV</a> and use its camera to watch the people who are watching TV.</p> </li> </ul> <div class="big-subsection"> <h4 id="SpywareInCameras">Cameras</h4> <span class="anchor-reference-id">(<a href="#SpywareInCameras">#SpywareInCameras</a>)</span> </div> <ul class="blurbs"> <li id="M201901100"> <p>Amazon Ring “security” devices <a href="https://www.engadget.com/2019/01/10/ring-gave-employees-access-customer-video-feeds/"> send the video they capture to Amazon servers</a>, which save it long-term.</p> <p>In many cases, the video shows everyone that comes near, or merely passes by, the user's front door.</p> <p>The article focuses on how Ring used to let individual employees look at the videos freely. It appears Amazon has tried to prevent that secondary abuse, but the primary abuse—that Amazon gets the video—Amazon expects society to surrender to.</p> </li> <li id="M201810300"> <p>Nearly all “home security cameras” <a href="https://www.consumerreports.org/privacy/d-link-camera-poses-data-security-risk--consumer-reports-finds/"> give the manufacturer an unencrypted copy of everything they see</a>. “Home insecurity camera” would be a better name!</p> <p>When Consumer Reports tested them, it suggested that these manufacturers promise not to look at what's in the videos. That's not security for your home. Security means making sure they don't get to see through your camera.</p> </li> <li id="M201603220"> <p>Over 70 brands of network-connected surveillance cameras have <a href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html"> security bugs that allow anyone to watch through them</a>.</p> </li> <li id="M201511250"> <p>The Nest Cam “smart” camera is <a href="http://www.bbc.com/news/technology-34922712">always watching</a>, even when the “owner” switches it “off.”</p> <p>A “smart” device means the manufacturer is using it to outsmart you.</p> </li> </ul> <div class="big-subsection"> <h4 id="SpywareInToys">Toys</h4> <span class="anchor-reference-id">(<a href="#SpywareInToys">#SpywareInToys</a>)</span> </div> <ul class="blurbs"> <li id="M201711244"> <p>The Furby Connect has a <a href="https://www.contextis.com/blog/dont-feed-them-after-midnight-reverse-engineering-the-furby-connect"> universal back door</a>. If the product as shipped doesn't act as a listening device, remote changes to the code could surely convert it into one.</p> </li> <li id="M201711100"> <p>A remote-control sex toy was found to make <a href="https://www.theverge.com/2017/11/10/16634442/lovense-sex-toy-spy-survei">audio recordings of the conversation between two users</a>.</p> </li> <li id="M201703140"> <p>A computerized vibrator <a href="https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack"> was snooping on its users through the proprietary control app</a>.</p> <p>The app was reporting the temperature of the vibrator minute by minute (thus, indirectly, whether it was surrounded by a person's body), as well as the vibration frequency.</p> <p>Note the totally inadequate proposed response: a labeling standard with which manufacturers would make statements about their products, rather than free software which users could have checked and changed.</p> <p>The company that made the vibrator <a href="https://www.theguardian.com/us-news/2016/sep/14/wevibe-sex-toy-data-collection-chicago-lawsuit"> was sued for collecting lots of personal information about how people used it</a>.</p> <p>The company's statement that it was anonymizing the data may be true, but it doesn't really matter. If it had sold the data to a data broker, the data broker would have been able to figure out who the user was.</p> <p>Following this lawsuit, <a href="https://www.theguardian.com/technology/2017/mar/14/we-vibe-vibrator-tracking-users-sexual-habits"> the company has been ordered to pay a total of C$4m</a> to its customers.</p> </li> <li id="M201702280"> <p>“CloudPets” toys with microphones <a href="https://www.theguardian.com/technology/2017/feb/28/cloudpets-data-breach-leaks-details-of-500000-children-and-adults"> leak childrens' conversations to the manufacturer</a>. Guess what? <a href="https://motherboard.vice.com/en_us/article/pgwean/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings"> Crackers found a way to access the data</a> collected by the manufacturer's snooping.</p> <p>That the manufacturer and the FBI could listen to these conversations was unacceptable by itself.</p> </li> <li id="M201612060"> <p>The “smart” toys My Friend Cayla and i-Que transmit <a href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws">children's conversations to Nuance Communications</a>, a speech recognition company based in the U.S.</p> <p>Those toys also contain major security vulnerabilities; crackers can remotely control the toys with a mobile phone. This would enable crackers to listen in on a child's speech, and even speak into the toys themselves.</p> </li> <li id="M201502180"> <p>Barbie <a href="http://www.mirror.co.uk/news/technology-science/technology/wi-fi-spy-barbie-records-childrens-5177673">is going to spy on children and adults</a>.</p> </li> </ul> <div class="big-subsection"> <h4 id="SpywareInDrones">Drones</h4> <span class="anchor-reference-id">(<a href="#SpywareInDrones">#SpywareInDrones</a>)</span> </div> <ul class="blurbs"> <li id="M201708040"> <p>While you're using a DJI drone to snoop on other people, DJI is in many cases <a href="https://www.theverge.com/2017/8/4/16095244/us-army-stop-using-dji-drones-cybersecurity">snooping on you</a>.</p> </li> </ul> <div class="big-subsection"> <h4 id="SpywareAtHome">Other Appliances</h4><span class="anchor-reference-id">(<a href="#SpywareAtHome">#SpywareAtHome</a>)</span> </div> <ul class="blurbs"> <li id="M202006300"> <p>“Bossware” is malware that bosses <a href="https://www.eff.org/deeplinks/2020/06/inside-invasive-secretive-bossware-tracking-workers"> coerce workers into installing in their own computers</a>, so the bosses can spy on them.</p> <p>This shows why requiring the user's “consent” is not an adequate basis for protecting digital privacy. The boss can coerce most workers into consenting to almost anything, even probable exposure to contagious disease that can be fatal. Software like this should be illegal and bosses that demand it should be prosecuted for it.</p> </li> <li id="M201911190"> <p>Internet-tethered Amazon Ring had a security vulnerability that enabled attackers to <a href="https://www.commondreams.org/newswire/2019/11/07/amazons-ring-doorbells-leaks-customers-wi-fi-username-and-password"> access the user's wifi password</a>, and snoop on the household through connected surveillance devices.</p> <p>Knowledge of the wifi password would not be sufficient to carry out any significant surveillance if the devices implemented proper security, including encryption. But many devices with proprietary software lack this. Of course, they are also used by their manufacturers for snooping.</p> </li> <li id="M201907210"> <p>Google “Assistant” records users' conversations <a href="https://arstechnica.com/information-technology/2019/07/google-defends-listening-to-ok-google-queries-after-voice-recordings-leak/">even when it is not supposed to listen</a>. Thus, when one of Google's subcontractors discloses a thousand confidential voice recordings, users were easily identified from these recordings.</p> <p>Since Google “Assistant” uses proprietary software, there is no way to see or control what it records or sends.</p> <p>Rather than trying to better control the use of recordings, Google should not record or listen to the person's voice. It should only get commands that the user wants to send to some Google service.</p> </li> <li id="M201905061"> <p>Amazon Alexa collects a lot more information from users than is necessary for correct functioning (time, location, recordings made without a legitimate prompt), and sends it to Amazon's servers, which store it indefinitely. Even worse, Amazon forwards it to third-party companies. Thus, even if users request deletion of their data from Amazon's servers, <a href="https://www.ctpost.com/business/article/Alexa-has-been-eavesdropping-on-you-this-whole-13822095.php"> the data remain on other servers</a>, where they can be accessed by advertising companies and government agencies. In other words, deleting the collected information doesn't cancel the wrong of collecting it.</p> <p>Data collected by devices such as the Nest thermostat, the Philips Hue-connected lights, the Chamberlain MyQ garage opener and the Sonos speakers are likewise stored longer than necessary on the servers the devices are tethered to. Moreover, they are made available to Alexa. As a result, Amazon has a very precise picture of users' life at home, not only in the present, but in the past (and, who knows, in the future too?)</p> </li> <li id="M201904240"> <p>Some of users' commands to the Alexa service are <a href="https://www.smh.com.au/technology/alexa-is-someone-else-listening-to-us-sometimes-someone-is-20190411-p51d4g.html"> recorded for Amazon employees to listen to</a>. The Google and Apple voice assistants do similar things.</p> <p>A fraction of the Alexa service staff even has access to <a href="https://www.bnnbloomberg.ca/amazon-s-alexa-reviewers-can-access-customers-home-addresses-1.1248788"> location and other personal data</a>.</p> <p>Since the client program is nonfree, and data processing is done “<a href="/philosophy/words-to-avoid.html#CloudComputing">in the cloud</a>” (a soothing way of saying “We won't tell you how and where it's done”), users have no way to know what happens to the recordings unless human eavesdroppers <a href="https://www.bnnbloomberg.ca/three-cheers-for-amazon-s-human-eavesdroppers-1.1243033"> break their non-disclosure agreements</a>.</p> </li> <li id="M201902080"> <p>The HP <a href="https://boingboing.net/2019/02/08/inkjet-dystopias.html"> “ink subscription” cartridges have DRM that constantly communicates with HP servers</a> to make sure the user is still paying for the subscription, and hasn't printed more pages than were paid for.</p> <p>Even though the ink subscription program may be cheaper in some specific cases, it spies on users, and involves totally unacceptable restrictions in the use of ink cartridges that would otherwise be in working order.</p> </li> <li id="M201808120"> <p>Crackers found a way to break the security of an Amazon device, and <a href="https://boingboing.net/2018/08/12/alexa-bob-carol.html"> turn it into a listening device</a> for them.</p> <p>It was very difficult for them to do this. The job would be much easier for Amazon. And if some government such as China or the US told Amazon to do this, or cease to sell the product in that country, do you think Amazon would have the moral fiber to say no?</p> <p><small>(These crackers are probably hackers too, but please <a href="https://stallman.org/articles/on-hacking.html"> don't use “hacking” to mean “breaking security”</a>.)</small></p> </li> <li id="M201804140"> <p>A medical insurance company <a href="https://wolfstreet.com/2018/04/14/our-dental-insurance-sent-us-free-internet-connected-toothbrushes-and-this-is-what-happened-next"> offers a gratis electronic toothbrush that snoops on its user by sending usage data back over the Internet</a>.</p> </li> <li id="M201706204"> <p>Lots of “smart” products are designed <a href="http://enews.cnet.com/ct/42931641:shoPz52LN:m:1:1509237774:B54C9619E39F7247C0D58117DD1C7E96:r:27417204357610908031812337994022">to listen to everyone in the house, all the time</a>.</p> <p>Today's technological practice does not include any way of making a device that can obey your voice commands without potentially spying on you. Even if it is air-gapped, it could be saving up records about you for later examination.</p> </li> <li id="M201407170"> <p id="nest-thermometers">Nest thermometers send <a href="http://bgr.com/2014/07/17/google-nest-jailbreak-hack">a lot of data about the user</a>.</p> </li> <li id="M201310260"> <p><a href="https://web.archive.org/web/20180911191954/http://consumerman.com/Rent-to-own%20giant%20accused%20of%20spying%20on%20its%20customers.htm"> Rent-to-own computers were programmed to spy on their renters</a>.</p> </li> </ul> <div class="big-subsection"> <h4 id="SpywareOnWearables">Wearables</h4> <span class="anchor-reference-id">(<a href="#SpywareOnWearables">#SpywareOnWearables</a>)</span> </div> <ul class="blurbs"> <li id="M201807260"> <p>Tommy Hilfiger clothing <a href="https://www.theguardian.com/fashion/2018/jul/26/tommy-hilfiger-new-clothing-line-monitor-customers">will monitor how often people wear it</a>.</p> <p>This will teach the sheeple to find it normal that companies monitor every aspect of what they do.</p> </li> </ul> <h5 id="SpywareOnSmartWatches">“Smart” Watches</h5> <ul class="blurbs"> <li id="M201603020"> <p>A very cheap “smart watch” comes with an Android app <a href="https://www.theregister.co.uk/2016/03/02/chinese_backdoor_found_in_ebays_popular_cheap_smart_watch/"> that connects to an unidentified site in China</a>.</p> <p>The article says this is a back door, but that could be a misunderstanding. However, it is certainly surveillance, at least.</p> </li> <li id="M201407090"> <p>An LG “smart” watch is designed <a href="http://www.huffingtonpost.co.uk/2014/07/09/lg-kizon-smart-watch_n_5570234.html"> to report its location to someone else and to transmit conversations too</a>.</p> </li> </ul> <div class="big-subsection"> <h4 id="SpywareInVehicles">Vehicles</h4> <span class="anchor-reference-id">(<a href="#SpywareInVehicles">#SpywareInVehicles</a>)</span> </div> <ul class="blurbs"> <li id="M201912171"> <p>Most modern cars now <a href="https://boingboing.net/2019/12/17/cars-now-run-on-the-new-oil.html"> record and send various kinds of data to the manufacturer</a>. For the user, access to the data is nearly impossible, as it involves cracking the car's computer, which is always hidden and running with proprietary software.</p> </li> <li id="M201903290"> <p>Tesla cars collect lots of personal data, and <a href="https://www.cnbc.com/2019/03/29/tesla-model-3-keeps-data-like-crash-videos-location-phone-contacts.html"> when they go to a junkyard the driver's personal data goes with them</a>.</p> </li> <li id="M201902011"> <p>The FordPass Connect feature of some Ford vehicles has <a href="https://www.myfordpass.com/content/ford_com/fp_app/en_us/termsprivacy.html"> near-complete access to the internal car network</a>. It is constantly connected to the cellular phone network and sends Ford a lot of data, including car location. This feature operates even when the ignition key is removed, and users report that they can't disable it.</p> <p>If you own one of these cars, have you succeeded in breaking the connectivity by disconnecting the cellular modem, or wrapping the antenna in aluminum foil?</p> </li> <li id="M201811300"> <p>In China, it is mandatory for electric cars to be equipped with a terminal that <a href="https://www.apnews.com/4a749a4211904784826b45e812cff4ca"> transfers technical data, including car location, to a government-run platform</a>. In practice, <a href="/proprietary/proprietary-surveillance.html#car-spying"> manufacturers collect this data</a> as part of their own spying, then forward it to the government-run platform.</p> </li> <li id="M201810230"> <p>GM <a href="https://boingboing.net/2018/10/23/dont-touch-that-dial.html"> tracked the choices of radio programs</a> in its “connected” cars, minute by minute.</p> <p>GM did not get users' consent, but it could have got that easily by sneaking it into the contract that users sign for some digital service or other. A requirement for consent is effectively no protection.</p> <p>The cars can also collect lots of other data: listening to you, watching you, following your movements, tracking passengers' cell phones. <em>All</em> such data collection should be forbidden.</p> <p>But if you really want to be safe, we must make sure the car's hardware cannot collect any of that data, or that the software is free so we know it won't collect any of that data.</p> </li> <li id="M201711230"> <p>AI-powered driving apps can <a href="https://motherboard.vice.com/en_us/article/43nz9p/ai-powered-driving-apps-can-track-your-every-move"> track your every move</a>.</p> </li> <li id="M201607160"> <p id="car-spying">Computerized cars with nonfree software are <a href="http://www.thelowdownblog.com/2016/07/your-cars-been-studying-you-closely-and.html"> snooping devices</a>.</p> </li> <li id="M201602240"> <p id="nissan-modem">The Nissan Leaf has a built-in cell phone modem which allows effectively anyone to <a href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/"> access its computers remotely and make changes in various settings</a>.</p> <p>That's easy to do because the system has no authentication when accessed through the modem. However, even if it asked for authentication, you couldn't be confident that Nissan has no access. The software in the car is proprietary, <a href="/philosophy/free-software-even-more-important.html">which means it demands blind faith from its users</a>.</p> <p>Even if no one connects to the car remotely, the cell phone modem enables the phone company to track the car's movements all the time; it is possible to physically remove the cell phone modem, though.</p> </li> <li id="M201306140"> <p>Tesla cars allow the company to extract data remotely and determine the car's location at any time. (See Section 2, paragraphs b and c of the <a href="http://www.teslamotors.com/sites/default/files/pdfs/tmi_privacy_statement_external_6-14-2013_v2.pdf"> privacy statement</a>.) The company says it doesn't store this information, but if the state orders it to get the data and hand it over, the state can store it.</p> </li> <li id="M201303250"> <p id="records-drivers">Proprietary software in cars <a href="http://www.usatoday.com/story/money/cars/2013/03/24/car-spying-edr-data-privacy/1991751/"> records information about drivers' movements</a>, which is made available to car manufacturers, insurance companies, and others.</p> <p>The case of toll-collection systems, mentioned in this article, is not really a matter of proprietary surveillance. These systems are an intolerable invasion of privacy, and should be replaced with anonymous payment systems, but the invasion isn't done by malware. The other cases mentioned are done by proprietary malware in the car.</p> </li> </ul> <div class="big-subsection"> <h4 id="SpywareInVR">Virtual Reality</h4> <span class="anchor-reference-id">(<a href="#SpywareInVR">#SpywareInVR</a>)</span> </div> <ul class="blurbs"> <li id="M201612230"> <p>VR equipment, measuring every slight motion, creates the potential forspecific players.</p> <p>Whilethearticle describes gratis games, games that cost moneymost intimate surveillance ever. All it takes to make this potential real <a href="https://theintercept.com/2016/12/23/virtual-reality-allows-the-most-detailed-intimate-digital-surveillance-yet/">is software as malicious as many other programs listed in this page</a>.</p> <p>You canusebet Facebook will implement thesame tactics.</p>maximum possible surveillance on Oculus Rift devices. The moral is, never trust a VR system with nonfree software in it.</p> </li> </ul><!-- #SpywareOnTheWeb --><div class="big-section"> <h3 id="SpywareOnTheWeb">Spyware on the Web</h3> <span class="anchor-reference-id">(<a href="#SpywareOnTheWeb">#SpywareOnTheWeb</a>)</span> </div> <div style="clear: left;"></div> <p>In addition, many web sites spy on their visitors. Web sites are not programs, so it <a href="/philosophy/network-services-arent-free-or-nonfree.html"> makes no sense to call them “free” or “proprietary”</a>, but the surveillance is an abuse all the same.</p><ul> <li><p>Online<ul class="blurbs"> <li id="M201904210"> <p>As of April 2019, it is <a href="https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/">no longer possible to disable an unscrupulous tracking anti-feature</a> that <a href="https://html.spec.whatwg.org/multipage/links.html#hyperlink-auditing">reports users when they follow ping links</a> in Apple Safari, Google Chrome, Opera, Microsoft Edge and also in the upcoming Microsoft Edge that is going to be based on Chromium.</p> </li> <li id="M201901101"> <p>Until 2015, any tweet that listed a geographical tag <a href="http://web-old.archive.org/web/20190115233002/https://www.wired.com/story/twitter-location-data-gps-privacy/"> sent the precise GPS location to Twitter's server</a>. It still contains these GPS locations.</p> </li> <li id="M201805170"> <p>The Storyful program <a href="https://www.theguardian.com/world/2018/may/17/revealed-how-storyful-uses-tool-monitor-what-journalists-watch">spies on the reporters that use it</a>.</p> </li> <li id="M201701060"> <p>When a page uses Disqus for comments, the proprietary Disqus software <a href="https://blog.dantup.com/2017/01/visiting-a-site-that-uses-disqus-comments-when-not-logged-in-sends-the-url-to-facebook">loads a Facebook software package into the browser of every anonymous visitor to the page, and makes the page's URL available to Facebook</a>.</p> </li> <li id="M201612064"> <p>Online sales, with tracking and surveillance of customers, <a href="https://www.theguardian.com/commentisfree/2016/dec/06/cookie-monsters-why-your-browsing-history-could-mean-rip-off-prices">enables businesses to show different people different prices</a>. Most of the tracking is done by recording interactions with servers, but proprietary software contributes.</p> </li><li><p><a href="http://japandailypress.com/government-warns-agencies-against-using-chinas-baidu-application-after-data-transmissions-discovered-2741553/"> Baidu's Japanese-input and Chinese-input apps spy on users.</a></p> </li> <li><p>Pages that contain “Like” buttons <a href="http://www.smh.com.au/technology/technology-news/facebooks-privacy-lie-aussie-exposes-tracking-as-new-patent-uncovered-20111004-1l61i.html"> enable Facebook to track visitors<li id="M201405140"> <p><a href="https://web.archive.org/web/20190421070310/https://www.itproportal.com/2014/05/14/microsoft-openly-offered-cloud-data-fbi-and-nsa/"> Microsoft SkyDrive allows the NSA tothose pages</a>—even users that don't have Facebook accounts.</p>directly examine users' data</a>.</p> </li><li><p>Many<li id="M201210240"> <p>Many web sites rat their visitors to advertising networks that track users. Of the top 1000 web sites, <a href="https://www.law.berkeley.edu/research/bclt/research/privacy-at-bclt/web-privacy-census/">84% (as of 5/17/2012) fed their visitors third-party cookies, allowing other sites to track them</a>.</p> </li><li><p>Many<li id="M201208210"> <p>Many web sites report all their visitors to Google by using the Google Analytics service, which <a href="http://www.pcworld.idg.com.au/article/434164/google_analytics_breaks_norwegian_privacy_laws_local_agency_said/"> tells Google the IP address and the page that wasvisited.</a></p>visited</a>.</p> </li><li><p>Many<li id="M201200000"> <p>Many web sites try to collect users' address books (the user's list of other people's phone numbers or email addresses). This violates the privacy of those other people.</p> </li><li><p><a href="http://www.itproportal.com/2014/05/14/microsoft-openly-offered-cloud-data-fbi-and-nsa/"> Microsoft SkyDrive allows the NSA<li id="M201110040"> <p>Pages that contain “Like” buttons <a href="https://www.smh.com.au/technology/facebooks-privacy-lie-aussie-exposes-tracking-as-new-patent-uncovered-20111004-1l61i.html"> enable Facebook todirectly examine users' data</a>.</p>track visitors to those pages</a>—even users that don't have Facebook accounts.</p> </li> </ul><!-- WEBMASTERS: make sure to place new items on top under each subsection --><div class="big-subsection"> <h4id="SpywareInChrome">Spywareid="SpywareInJavaScript">JavaScript</h4> <span class="anchor-reference-id">(<a href="#SpywareInJavaScript">#SpywareInJavaScript</a>)</span> </div> <ul class="blurbs"> <li id="M201811270"> <p>Many web sites use JavaScript code <a href="http://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081"> to snoop on information that users have typed into a form but not sent</a>, inChrome</h4> <span class="anchor-reference-id">(<a href="#SpywareInChrome">#SpywareInChrome</a>)</span> </div> <ul> <li><p>Google Chrome makes it easyorder to learn their identity. Some are <a href="https://www.manatt.com/Insights/Newsletters/Advertising-Law/Sites-Illegally-Tracked-Consumers-New-Suits-Allege"> getting sued</a> foran extensionthis.</p> <p>The chat facilities of some customer services use the same sort of malware todo<ahref="https://labs.detectify.com/2015/07/28/how-i-disabled-your-chrome-security-extensions/">total snoopinghref="https://gizmodo.com/be-warned-customer-service-agents-can-see-what-youre-t-1830688119"> read what the user is typing before it is posted</a>.</p> </li> <li id="M201807190"> <p>British Airways used <a href="https://www.theverge.com/2018/7/19/17591732/british-airways-gdpr-compliance-twitter-personal-data-security">nonfree JavaScript on its web site to give other companies personal data on its customers</a>.</p> </li> <li id="M201712300"> <p>Some JavaScript malware <a href="https://www.theverge.com/2017/12/30/16829804/browser-password-manager-adthink-princeton-research"> swipes usernames from browser-based password managers</a>.</p> </li> <li id="M201711150"> <p>Some websites send JavaScript code to collect all the user'sbrowsing</a>, and many of them do so.</p>input, <a href="https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/">which can then be used to reproduce the whole session</a>.</p> <p>If you use LibreJS, it will block that malicious JavaScript code.</p> </li> </ul> <div class="big-subsection"> <h4id="SpywareInFlash">Spyware in Flash</h4>id="SpywareInFlash">Flash</h4> <span class="anchor-reference-id">(<a href="#SpywareInFlash">#SpywareInFlash</a>)</span> </div><ul> <li><p>Flash<ul class="blurbs"> <li id="M201310110"> <p>Flash and JavaScript are used for <a href="http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/"> “fingerprinting” devices</a> to identify users.</p> </li> <li id="M201003010"> <p>Flash Player's <a href="http://www.imasuper.com/66/technology/flash-cookies-the-silent-privacy-killer/"> cookie feature helps web sites track visitors</a>.</p> </li><li><p>Flash</ul> <div class="big-subsection"> <h4 id="SpywareInChrome">Chrome</h4> <span class="anchor-reference-id">(<a href="#SpywareInChrome">#SpywareInChrome</a>)</span> </div> <ul class="blurbs"> <li id="M201906220"> <p>Google Chrome isalso usedan <a href="https://www.mercurynews.com/2019/06/21/google-chrome-has-become-surveillance-software-its-time-to-switch/"> instrument of surveillance</a>. It lets thousands of trackers invade users' computers and report the sites they visit to advertising and data companies, first of all to Google. Moreover, if users have a Gmail account, Chrome automatically logs them in to the browser for more convenient profiling. On Android, Chrome also reports their location to Google.</p> <p>The best way to escape surveillance is to switch to <ahref="http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/"> “fingerprinting” devices </a>href="/software/icecat/">IceCat</a>, a modified version of Firefox with several changes toidentify users.</p>protect users' privacy.</p> </li></ul> <p><a href="/philosophy/javascript-trap.html">Javascript code</a><li id="M201704131"> <p>Low-priced Chromebooks for schools are <a href="https://www.eff.org/wp/school-issued-devices-and-student-privacy"> collecting far more data on students than isanother methodnecessary, and store it indefinitely</a>. Parents and students complain about the lack of“fingerprinting” devices.</p> <!-- #SpywareEverywhere --> <div class="big-section"> <h3 id="SpywareEverywhere">Spyware Everywhere</h3> <span class="anchor-reference-id">(<a href="#SpywareEverywhere">#SpywareEverywhere</a>)</span> </div> <div style="clear: left;"></div> <ul> <li><p>The natural extensiontransparency on the part ofmonitoring people through “their” phonesboth the educational services and the schools, the difficulty of opting out of these services, and the lack of proper privacy policies, among other things.</p> <p>But complaining is not sufficient. Parents, students and teachers should realize that the software Google uses to spy on students is nonfree, so they can't verify what it really does. The only remedy is to persuade school officials to <a href="/education/edu-schools.html"> exclusively use free software</a> for both education and school administration. If the school is run locally, parents and teachers can mandate their representatives at the School Board to refuse the budget unless the school initiates a switch to free software. If education is<a href="http://www.northwestern.edu/newscenter/stories/2016/01/fool-activity-tracker.html"> proprietaryrun nation-wide, they need to persuade legislators (e.g., through free software organizations, political parties, etc.) tomake sure they can't “fool”migrate themonitoring</a>.</p> </li> <li><p><a href="http://www.pocket-lint.com/news/134954-cortana-is-always-listening-with-new-wake-on-voice-tech-even-when-windows-10-is-sleeping"> Intel devices will be ablepublic schools tolistenfree software.</p> </li> <li id="M201507280"> <p>Google Chrome makes it easy forspeech allan extension to do <a href="https://labs.detectify.com/2015/07/28/how-i-disabled-your-chrome-security-extensions/">total snooping on thetime, even when “off.”</a></p>user's browsing</a>, and many of them do so.</p> </li> <li id="M201506180"> <p>Google Chrome includes a module that <a href="https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/"> activates microphones and transmits audio to its servers</a>.</p> </li> <li id="M201308040"> <p>Google Chrome <a href="https://www.brad-x.com/2013/08/04/google-chrome-is-spyware/"> spies on browser history, affiliations</a>, and other installed software.</p> </li> <li id="M200809060"> <p>Google Chrome contains a key logger that <a href="https://web.archive.org/web/20190126075111/http://www.favbrowser.com/google-chrome-spyware-confirmed/"> sends Google every URL typed in</a>, one key at a time.</p> </li> </ul><!-- #SpywareInVR --><div class="big-section"> <h3id="SpywareInVR">Spyware In VR</h3>id="SpywareInNetworks">Spyware in Networks</h3> <span class="anchor-reference-id">(<ahref="#SpywareInVR">#SpywareInVR</a>)</span>href="#SpywareInNetworks">#SpywareInNetworks</a>)</span> </div> <div style="clear: left;"></div><ul> <li><p>VR equipment, measuring every slight motion, creates the potential<ul class="blurbs"> <li id="M201902040"> <p>Google invites people to <a href="https://www.commondreams.org/views/2019/02/04/google-screenwise-unwise-trade-all-your-privacy-cash?cd-origin=rss"> let Google monitor their phone use, and all internet use in their homes, for an extravagant payment of $20</a>.</p> <p>This is not a malicious functionality of a program with some other purpose; this is the software's sole purpose, and Google says so. But Google says it in a way that encourages mostintimate surveillance ever. Allpeople to ignore the details. That, we believe, makes ittakesfitting tomake this potential reallist here.</p> </li> <li id="M201606030"> <p>Investigation Shows <ahref="https://theintercept.com/2016/12/23/virtual-reality-allows-the-most-detailed-intimate-digital-surveillance-yet/">is software as malicious as many other programs listed in this page</a>.</p> <p>Youhref="https://www.techdirt.com/articles/20160602/17210734610/investigation-shows-gchq-using-us-companies-nsa-to-route-around-domestic-surveillance-restrictions.shtml">GCHQ Using US Companies, NSA To Route Around Domestic Surveillance Restrictions</a>.</p> <p>Specifically, it canbet Facebook will implementcollect themaximum possible surveillance on Oculus Rift devices. The moral is, never trust a VR system with nonfree software in it.</p>emails of members of Parliament this way, because they pass it through Microsoft.</p> </li> <li id="M201212290"> <p>The Cisco TNP IP phones are <a href="http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html"> spying devices</a>.</p> </li> </ul></div><!-- for id="content", starts in the include above</div> </div> <!--#include virtual="/proprietary/proprietary-menu.html" --> <!--#include virtual="/server/footer.html" --> <div id="footer"> <div class="unprintable"> <p>Please send general FSF & GNU inquiries to <a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>. There are also <a href="/contact/">other ways to contact</a> the FSF. Broken links and other corrections or suggestions can be sent to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p> <p><!-- TRANSLATORS: Ignore the original text in this paragraph, replace it with the translation of these two: We work hard and do our best to provide accurate, good quality translations. However, we are not exempt from imperfection. Please send your comments and general suggestions in this regard to <a href="mailto:web-translators@gnu.org"> <web-translators@gnu.org></a>.</p> <p>For information on coordinating andsubmittingcontributing translations of our web pages, see <a href="/server/standards/README.translations.html">Translations README</a>. --> Please see the <a href="/server/standards/README.translations.html">Translations README</a> for information on coordinating andsubmittingcontributing translations of this article.</p> </div> <!-- Regarding copyright, in general, standalone pages (as opposed to files generated as part of manuals) on the GNU web server should be under CC BY-ND 4.0. Please do NOT change or remove this without talking with the webmasters or licensing team first. Please make sure the copyright date is consistent with the document. For web pages, it is ok to list just the latest year the document was modified, or published. If you wish to list earlier years, that is ok too. Either "2001, 2002, 2003" or "2001-2003" are ok for specifying years, as long as each year in the range is in fact a copyrightable year, i.e., a year in which the document was published (including being publicly visible on the web or in a revision control system). There is more detail about copyright years in the GNU Maintainers Information document, www.gnu.org/prep/maintain. --> <p>Copyright ©2015, 2016, 20172015-2020 Free Software Foundation, Inc.</p> <p>This page is licensed under a <a rel="license"href="http://creativecommons.org/licenses/by-nd/4.0/">Creativehref="http://creativecommons.org/licenses/by/4.0/">Creative CommonsAttribution-NoDerivativesAttribution 4.0 International License</a>.</p> <!--#include virtual="/server/bottom-notes.html" --> <p class="unprintable">Updated: <!-- timestamp start --> $Date: 2020/07/09 17:32:23 $ <!-- timestamp end --> </p> </div></div></div><!-- for class="inner", starts in the banner include --> </body> </html>