“We don’t really know why we’re trusting that a particular company with access to our data won’t do something like sell it or rent it or share it without our consent,” said Lee Tien, a lawyer for the Electronic Frontier Foundation, a nonprofit that focuses on digital rights.
That’s not to say the tech behemoths are innocent. The data leak to Cambridge Analytica was ultimately Facebook’s fault because its app platform allowed data to be harvested from people’s friends lists in the first place. About five years ago, Google had to pay a $7 million fine after acknowledging that it had scooped up passwords, email and other personal data with its Street View mapping project.
Yet I am recommending taking extra caution with obscure tech brands because it is something under your control. You can take a pause. Don’t immediately download every app you see in an app store or on the web just because it looks fun. Don’t take every quiz you see on Facebook (even if you are dying to know which “Game of Thrones” character identifies with you). Don’t impulse buy internet-connected devices from unfamiliar brands. Don’t do any of this without first doing some research on the reputations of these vendors and their business models.
Here are some examples of when unknown brands did us wrong — and the lessons we can learn.
The ‘Free’ Email Service
Last year, The New York Times revealed that Uber bought information about Lyft, its main ride-hailing competitor in the United States, from Unroll.me, a free email service that offered to unsubscribe people from marketing emails.
How did Unroll.me get data about Lyft? Unroll.me scanned users’ inboxes for information and sold it to other businesses, and Uber paid it for data it found about Lyft receipts. Many consumers found it misleading that a company that promised to rid you of spam from marketers made money by selling your information to marketers and other companies.
In response to the backlash, Unroll.me said it was “heartbreaking” to see that people were upset and pledged to be more transparent about its use of data. The app continues to operate.
The lessons. Whenever you have the time, read privacy policies before opting to share your data with a brand. This is a daunting task but a healthy exercise, especially when you are unfamiliar and feeling distrustful toward an obscure company. And do the best you can to research a company’s business model. When a service or product is free, assume that your personal information is being monetized.
“We all need to know that whenever you’re not paying for the thing, then you’re paying for the thing in a nonmonetary way,” Mr. Tien said.
The Messaging App That Spied
Last year, an app called Soniac was available for Android phones on the Google Play app store. Soniac marketed itself as a messaging app — and indeed, it included features for sending text messages. The less obvious features: The app was also capable of silently recording audio, taking photos with the camera, placing phone calls and downloading call logs among other features.
Lookout, a security firm that follows malicious software for Android devices, alerted Google about Soniac’s hidden abilities last year, and the app was quickly removed from the Play app store.
Yet Lookout said its researchers had identified over 1,000 spyware apps with many of the same characteristics that Soniac had. Many of those spyware apps were served in third-party app stores that are not authorized by Google.
The company that offered Soniac, Iraqwebservice, had published other spyware apps on the Play store. All of its apps have been removed from Play, but Lookout warned that the spyware would probably resurface in the future.
The lessons. For one, before you install an app from a company you’ve never heard of, look at its user reviews and do a web search on the company to see if its services are legitimate. You can also check reputable web publications that review apps, like TouchArcade, CNET and Tom’s Guide.
For another, when installing an app, take a close look at what data it is accessing. Smartphone apps will ask for permission for access to certain data and sensors. If an app is asking for data that is unrelated to the product, don’t install it. For example, you can reasonably expect a mapping app to ask for your location data, but it shouldn’t need access to your camera.
“If something seems outside of the scope, like if a calculator app tells you it needs to use your webcam, say, ‘What, why?’” said Adam Kujawa, the head of malware intelligence at Malwarebytes, a security firm.
Third, avoid downloading apps from unofficial app stores and sites that are not affiliated with large brands. And keep in mind that alternative app stores are particularly ripe for malware, because just about anything can be distributed there, similar to a flea market.
Tech That Collects Data on Minors
Parents, beware: A number of internet products have specifically collected data about children. EchoMetrix is a notorious example. In 2009, the company issued a news release bragging that it had predicted the winner of that year’s “American Idol” singing competition.
How did it do that? By looking at children’s private information. The company started in 2004 with the name SearchHelp, offering a parental control app called FamilySafe for parents to monitor their children’s online activities. Five years later, it rebranded itself as EchoMetrix and released Pulse, a tool for providing insight to third-party marketers on youths, by aggregating data from millions of teenagers’ chat transcripts and blog posts, among other sources.
EchoMetrix’s practices attracted the attention of the Electronic Privacy Information Center, a privacy rights group, which filed a complaint about the company to the Federal Trade Commission. The group accused EchoMetrix of violating the Children’s Online Privacy Protection Act by collecting information on minors without parental consent. In 2010, EchoMetrix reached settlements with the commission and the New York attorney general’s office in which it agreed not to analyze or share information about children’s private communications or online activities. EchoMetrix has since rebranded itself as Protext Mobility, a biotech company.
The lessons. Be judicious when choosing tech products for your children. Increasingly, toys are beginning to include internet connections — before buying a “smart” toy, do your homework on what the companies are doing with the data. Common Sense Media, a nonprofit that evaluates content and products for families, is a good place to start your research.
Perhaps the most important lesson is to acknowledge that you don’t know anything about the vast majority of brands you engage with on the internet. So tread carefully.
“These threats aren’t going away,” Mr. Tien said. “With the expansion of data collection and the expansion of what’s possible to collect, it’s just going to continue to proliferate.”