Random Thoughts – Randocity!

Rant Time: Is Apple protecting our devices better than Google?

Posted in Apple, botch, business, Google, mobile devices, security by commorancy on August 20, 2020

While many people believe that Google’s App store is a far inferior store to Apple’s app store, there is also a misplaced belief that Apple’s store offers more propriety than Google’s Play store. We need to understand more about both ecosystems to better understand the answer to this article’s question. Let’s explore.

App Protection

Certainly, iOS appears to be more resilient to malware on the surface, but is it? Google’s Android also appears way more prone to malware on its surface, but is it? We need to understand more about both of these operating systems and each OS’s overall ecosystems.

Let’s understand better how and why Apple has garnered its appearance of propriety, with “appearance” being the operative word. The first reason that Apple appears to have a better system in place is primarily because iOS doesn’t allow side loading of apps. What is side loading? Side loading is the ability for the user to load apps outside of the Android app store, for example using a USB cable or, more importantly, by downloading an ‘APK‘ file directly to your device from any web site.

While there are means and methods of side loading apps on iOS, it can only be done through Apple’s developer toolkit. You cannot perform this process directly on a phone in the wild. You can’t even do it with iTunes. If you had even wanted to side load an app, you’d have to jump through some fairly complicated hoops to make that happen on iOS. Because of this one thing, this forces you to download ALL apps from the App store.

On Android, you can not only use the App store to download apps, but more importantly, you can side load them. Side loading an app on Android does require some security setting changes, but this change is easily done in about 3 simple steps.

Does side-loading account for all of Google’s malware?

No, it doesn’t. After all, there are many who likely haven’t changed the necessary side-loading parameters and have still been hit by malware. So then, how did the malware get onto their phone? Likely, through the App store directly.

One App Store

Here we come to the second reason why propriety seems to prevail at Apple. With Apple, there is one and only one app store. With Google, there are many, too many. Google not only runs Google Play, but there are many other App stores including:

  • Amazon
  • Samsung Galaxy Apps
  • Aptoid
  • Sony Apps
  • Huawei App Store
  • F-Droid
  • GetJar
  • AppBrain
  • SlideMe
  • 1Mobile
  • Opera Mobile Store
  • Appolicious
  • NexVa
  • Kongregate
  • Appland
  • Itch.io

These stores are all independently owned and operated. This is not a complete Android app store list, but it gives you an example of how many different app stores are available for Android. This is significantly different from Apple’s iOS, which only supports one app store and that store is operated by Apple and Apple alone.

There is no such thing as a third party app store for iOS. It simply doesn’t exist.

Multiple App Stores

Because of Google’s insane choice to allow many app stores to operate simultaneously by different companies, Android users are at the mercy of each of those app store’s propriety. The difficulty is, there’s no rhyme or reason or protection afforded by many of these app stores, let alone Google Play. The secondary problem is that some of these app stores come preloaded as the primary download store on some Android devices.

Clearly, Google branded devices come shipped with Google Play set up. Amazon devices some shipped to use the Amazon app store. However, no-named brand Android devices likely come shipped with one of the above non-Google stores installed. In fact, it could even be set up to a store not in the above list… a store operated by the manufacturer of the device.

Careful with that App

The difficulty with multiple app stores is one of, you guessed it, propriety. What I mean by using this specific word ‘propriety’ is the app store’s ability to police its content for completeness, functionality and, yes, malware. In short, propriety is a company’s ability to protect its download users from malware or dangerous software.

The difficulty is that while Google might have enough money to throw at App vetting to ensure higher quality apps reach its stores, not every store in that list has the money to afford that level of commitment.

What this means for consumers is, when you use a random app store, you take your chances with malware. Multiple stores combined with side loading is nearly the sole reason why Android gets a bad rap for malware. These two things are something Apple doesn’t do in its ecosystem. For Android, it’s worse still. As a consumer of a device, you don’t really know which app store is the default on your device. Most app store manufacturers properly label their apps, but cheaper devices made by random Chinese manufacturers tend to play games with naming and might name their app store app Goggle Play or Gooogle Play or even simply Play Store. There are many ways that manufacturers of cheap phone devices can trick you into thinking that you’re getting your apps from Google’s store… when, in fact, you’re not.

Not only are there too many app stores that can provide questionable apps, Android has been licensed by so many random Chinese manufacturers (okay, so perhaps licensed isn’t necessarily the correct word here… it’s more like, ripped off). Anyway, if you buy into any of these super cheap Chinese phone brands, you have no idea where your apps are really coming from. Although, because it’s Android, you should be able to load Google’s Play store (the real thing) and use those apps instead… with should being the operative word. The device manufacturer could have instituted a block to prevent the use of the Google Play store.

However, replacing a crap store with Google Play typically takes effort on the part of the consumer… that and knowledge that they must take this step. Most consumers are oblivious to this aspect of their phone’s use and naturally assume the included app store is looking out for their phone’s well-being and their own best interest. You should never assume this, not even with Apple devices.

Apple’s App Store

Here we circle back around to Apple. We are beginning to see why Android is in the state that it’s in, but how much better is Apple’s ecosystem of devices?

A lot of people believe that because there’s only one iOS app store and because Apple is the sole operator of that store that this somehow makes Apple devices safer to use.

Security through Obscurity

This is a phrase tossed around in the security communities. What it means is that because a platform is more obscure (more exclusive and closed), that that somehow makes the platform safer to use. Security through obscurity works maybe 10% of the time. Maybe. The other 90% of the time it’s less about obscurity and more about best practices.

For example, you should never load random apps from any store. It doesn’t matter if it’s Android or Apple. If you don’t know anything about the developer, you shouldn’t trust them. Why?

App Store Approval Process

Apple’s app store approves apps for release into the store based on specific usability criteria. For example, that the developer is not including terms-of-service restricted content or features. Restricted content being whatever Apple or Google or that specific app store deems off limits within an application.

The developer must verbally or on a written form affirm that their app does not contain such restricted content when submitting it for approval. Even then, Apple may or may not be able to verify such an affirmation. Basically, developers can lie and say their app doesn’t do something that it does, in fact, do. Apple and/or Google may not be able to see the app doing it until that specific set of code in the app is triggered. In other words, the app may appear totally genuine enough to pass Apple’s and Google’s store submission criteria.

We have seen some apps which have been released into the app store as a result of such affirmations only to be pulled from the store when it is found that the developer lied about what was affirmed and stated to have not been included in the app. Apple doesn’t take kindly to lying about app features, particularly when you can see the app doing things it shouldn’t be doing.

Apple is relatively quick on removals of offending content from its app store. Google Play and other Android stores may not be quite so nimble in this process. In fact, many of the third party stores may not even police their apps at all. Once it’s in the their store, it may be there more-or-less permanently. Apple is much more active and selective with maintaining that their apps are upholding developer agreements. However, there is a limit to even Apple’s propriety.

Epic Games

This is a recent fight between Apple and Epic Games. Epic Games apparently decided to change the way it utilized in-game purchases, which has since culminated in Apple rescinding Epic Games’s license to use Apple’s developer tools. Both Apple and Google have since removed Fortnite from their respective app stores citing violation of the store’s terms.

In-app payments require that developers hand over a portion of their profits to Apple and Google. However, there are ways of circumventing that by including outside payment systems in apps. I don’t know exactly what was included by Fortnite that triggered this specific problem, but apparently Epic wasn’t satisfied by Apple’s greedy in-app payment system and decided to take a stand.

Some may think this is about consumer protection. It’s not. It’s about Apple profiteering protection. Apple cites its terms that apply equally to all developers, but in fact, this specific condition is intended to maintain Apple’s profits. Yes, it does apply to all developers (well, almost all developers… see Amazon below), but it is also a condition that is unfavorable to developers and extremely favorable to Apple’s bottom line.

Ramifications

Apple picked a fight with the wrong company in this “epic” (ahem) fight. Epic Games also happens to be the developer of the Unreal game engine. This is a very widely used game engine throughout the gaming industry. It’s probably one of THE most commonly used engines, particularly on gaming consoles.

Without access to Apple’s iOS developer tools, this engine is effectively dead on iOS (and MacOS) devices. Worse, developers who rely on Unreal to drive their own iOS games may soon find that they have to find another game engine. These Unreal engine users may wake up to find their Unreal-based game removed from Apple’s app store as a side effect of Epic Games’s removal.

If Unreal can’t be supported, then neither can the games that utilize this engine. This Epic Games fight has deep reaching ramifications for not only Apple, but also impacts every iOS device owner and every developer that uses Unreal to drive their game. If that game you love was built around Unreal, you may find that app no longer available in just a few weeks.

If you have the app downloaded onto your device, you can still use it. Bought a new Apple device? Well, don’t expect to cloud download that app again if it’s been removed. You’ll need to rely on iTunes backup and restore instead of Apple’s cloud storage… which relies on downloading the app again from the app store. If it’s been removed, the app will be unavailable. Only backing up and restoring through iTunes will recover apps you presently have on your phone device and which are no longer in Apple’s app store. Didn’t do this? Oh, well. That app is gone.

Apple’s Ramifications

Apple’s once burgeoning gaming section may soon become a ghost town. Maybe this is an exaggeration, but maybe not? Let me explain. The loss of the Unreal engine from the iOS platform is a huge blow to iOS game developers worldwide. It means game developers must either now build their own engine instead (to avoid such engine removals in the future) or rely on another gaming engine that supports iOS (at the peril of it being removed in the future).

Apple is effectively “Cutting off its nose to spite its face”. In other words, Apple has most likely done more long term damage to its own brand and products than it has done in short term damage to Epic Games. Sure, Epic’s loss of Fortnite on iOS is a big loss to Epic, but Apple’s loss of the Unreal engine is a much, much bigger problem for Apple.

If developers can no longer turn to the Unreal engine for use on iOS, then that means fewer games will be developed for iOS… at a time when iOS doesn’t need this gaming speed bump. Fewer games developed means fewer game apps in the app store. Fewer game apps means less revenue for Apple. Basically, Apple’s loss of revenue from cutting off developer access to the Unreal engine will come back to bite Apple hard in the ass.

Apple relies on that in-app revenue for its continued operation of the App store. If that revenue dries up, well so too will iOS devices while also undercutting MacOS notebook sales. It’s not just about Fortnite here. It’s about every iOS game using Unreal that also uses in-app payments legitimately. People won’t buy into a mobile platform when they can no longer find and play their favorite games, particularly if those games are on other platforms. The loss of the Unreal game engine is a big deal to Apple. Considering Apple’s paltry 10-13% mobile device market share as of 2019 (and shrinking), killing off development tools that bring revenue to the platform should be a big deal to Apple, one would think.

However, there are still other game engines that developers can use, such as Unity, BuildBox and AppGameKit. With the loss of the Unreal engine, of which many, many games are built on consoles, that means straight ports of well recognized and popular console games to iOS will become almost impossible. Very few console developers choose Unity and none use BuildBox or AppGameKit.

If Apple was hoping to pull over the bigger console titles onto iOS, they’ve just lost that opportunity by kicking Epic Games off of their platform. No console developer will spend several years porting their Unreal based game to Unity or one of the other game development kits. Without Unreal on iOS, the much larger money making console games will forever be locked out of iOS, simply because of Apple’s stupidity.

Instead of trying to work through a compromise with Epic Games over this issue, they simply pulled the plug. They’ve “thrown the baby out with the bathwater”. They’ve as I said above, “Cut off their nose to spite their face.”

Apple’s Stupidity

This is a huge blow to iOS devices and to consumers alike. Within the next year or so without Epic Games support on iOS, Apple’s gaming community is likely to dry up. Games like Fortnite can no longer come to exist on Apple’s platform because of the loss of the Unreal engine.

There is a bigger danger to using a third party game engines for iOS games. If you, as a developer, settle on a third party game engine and that engine developer has a fight with Apple thus causing their developer licenses to be rescinded, just like Epic Games, you could see your game pulled from the store or, more importantly, obsolete by the next yearly iOS release. This whole Epic fight has some serious ramifications to the gaming industry.

I guarantee that with Epic Games being pulled from the Apple platform and if this is allowed to stand going forward, Apple’s usefulness as a gaming platform will greatly diminish. Not instantly, but definitely over time. It will definitely erode confidence in iOS and MacOS as a gaming platform.

Lest you think I’m being overly dramatic, I suggest you look at this very long Wikipedia page and see the list of games produced using Unreal for consoles, specifically Unreal Engine 4. Every single one of these games had the potential of making their way to iOS or even MacOS. This hope is now lost. The loss of the Unreal engine on Apple’s ecosystem is a loss to the entirety of Apple’s devices.

If Apple had designs of getting into gaming, they summarily lost that hope in one fell swoop. What’s worse is that other game developers may follow suit and voluntarily pull their engines from Apple’s devices as well, leaving only the smallest and crappiest of game development engines available for iOS devices… firmly dragging Apple’s devices back into the stone age for gaming. The best you can hope are the silly finger swipe games that leave you bored in less than 15 minutes.

Sure, Bethesda, Ubisoft and Activision may continue to maintain their proprietary engines on iOS and MacOS for their specific games, but up-and-coming and existing Unreal console developers alike have lost any iOS portability inroads they might have seen on the horizon.

Though, I suppose this situation is a win for Sony’s PlayStation and Microsoft’s Xbox consoles… and consoles in general.

Epic Games Ramifications

I would be remiss without discussing the ramifications to Epic Games, also. Certainly, Epic Games has lost a huge platform for both Fortnite and the Unreal engine … well, two with the additional loss of Google’s Play store. Though, I don’t think that Google has yet rescinded Epic’s developer license for Android. As a result, would-be game developers considering which engine to choose will not choose Unreal if they have eyes on iOS, MacOS or possibly Android (depending on how far Google takes this). For game developers who’ve already chosen Unreal, it’s probably too late to undo that choice. Game developers in the planning stages can reconsider which engine to choose.

Epic Games Unreal engine may not fall out of favor with the game development community. It was formerly an engine developers could rely on, more specifically for a wide range of platform support. With the loss of iOS and Android, that leaves a big hole for the Unreal engine, and Epic Games. That’s basically the loss of every mobile platform! Epic Games chose this battle by not wanting to follow Apple’s greedy rules.

Honestly, I don’t blame Epic. Amazon fought with Apple over these very same rules a long while back. Amazon chose to remove all ability to buy anything via their apps. Though, the Amazon app seems to have regained its ability to purchase junk, but I’ve no idea how they’ve worked this with Apple. Epic should cite Amazon app’s ability to purchase products using a third party payment processor. If Amazon can do this, Epic should be able to as well. It seems that even Apple isn’t following its own “all developers are equal” rules.

Tim Sweeney, Epic Games CEO, should call out this incongruity in Apple’s “equal” application its app store terms and conditions. If Epic Games is violating Apple’s purchasing rules, then so is Amazon… and so is any other company who is able to offer purchases using their own third party payment processor.

However, that doesn’t leave Epic Games without problems. Without iOS and Android for not only Fortnite, that leaves a huge revenue stream hole for Epic Games. That’s the downside for Epic. That and the loss of being able to license the Unreal engine to would-be iOS and potentially, depending on how far Google takes this, Android developers.

TikTok and WeChat

Beyond Epic, there are other problems brewing at Apple. The problem with Apple’s app store is that it will accept and publish apps from any developer from any part of the world. Yes, even communist bloc countries like China and Russia.

What does this mean for you as a consumer? It could mean spying, malware and theft of your data. Apps like WeChat and TikTok originated in China. These are apps that were intentionally designed and released by Chinese people who live in China and who have no ties to the U.S. and who don’t care about data privacy, your data or anything else about you. They don’t even have to follow United States laws. They want your money and they’ll do whatever they can to get it. They don’t care if they have to step on your toes (or turn on your camera and microphone at inappropriate times) to do it.

Apple has been entirely remiss in this area of vetting apps. Can we trust apps developed and produced entirely in China or Russia? Yet, Apple has published these apps to the App store and still allows them to remain in the store. But… Epic Games, a U.S. based game developer, can’t keep their app in the store because of silly in-app purchases? It’s perfectly okay to allow apps to spy and steal data for communist bloc countries, but it’s not okay for a U.S. developer to want to use a third-party payment processor. Yeah, Apple’s priorities are entirely effed up.

Apple’s values at this point are entirely suspect. What Apple has done to Epic is retaliation. It has nothing to do with propriety or consumer safety. It has to do with ensuring Apple’s revenue remains intact. If it were about consumer safety, Apple would have not only re-reviewed WeChat and TikTok for appropriateness the moment the President called them out, they would have been removed from the store.

This is where we learn Apple is not about propriety, it’s about making money. Losing the ability to make money from Fortnite (and by extension the Unreal engine) is way bigger of a deal than allowing Tencent and ByteDance to use their respective apps to potentially spy on U.S. consumers.

Here’s where consumers get lost in the mire and murk of it all. Apple’s silly hide-everything-from-everyone ideals allow this sort of behavior from developers to fester. Developers get to hide behind Apple’s veil of secrecy and “wall of friendliness” so that apps like WeChat and TikTok can flourish without consumers being the wiser.

Yet, here we are. Chinese and Russian apps are infiltrating Apple’s store with careless abandon, some of these are taking the Internet by storm, like TikTok. ByteDance rolled the big one with TikTok and now they can roll out spying measures if they wish, assuming they haven’t already.

I look on anything coming out of China as suspect. Most products coming out of China are third rate products that fall apart as soon as you sneeze on them. Many are counterfeit or are a stolen designs from an original product created outside of China. Clearly, China’s ability to innovate is limited. Instead, Chinese engineers must reverse engineer an existing design that originated outside of China only then to build their thing based on that existing design. Copying is said to be the highest form of flattery, but in this case it’s intellectual property theft.

With products that don’t need the Internet, such as a toaster oven or a microwave or a fridge, other than their possibility of falling apart or harming you physically, they can’t steal personal data or spy on you. Like physically harming you with junk appliances from China, downloading apps from an app store can be equally harming to you. They can steal keyboard input, turn on microphones and cameras at inappropriate times, grab your photos… they can even monitor which apps you use and watch your movement around the city via GPS on your phone. There’s so much data they can collect about you, including the contacts in your phone book.

By installing one of these communist bloc apps, there’s literally a mountain of data they can learn about you from your device. Spying? That’s literally an understatement.

Apple has given the communist bloc countries carte blanche access to U.S. owned devices through iOS. Google has done the same with Android. Worse, both Apple and Google are doing absolutely NOTHING about this. Treason by U.S. companies? That’s an understatement. They not only allow these apps to be published, they’re endorsing them… and some of Apple’s and Google’s own developers may even be using these apps personally. Talk about inception.

Spying

Spying was formerly thought to be about covert operatives running around gathering intel with crude and rudimentary devices in black garb. Today, it can be done in broad daylight using every person’s very own cell phone right in their hand.

Need access to listen in on a conversation at a specific GPS point… I can just hear someone say, “Let’s see which of our apps are on devices close to that location.” Yeah, this is a real thing. Simply enable the microphone and possibly even the outward camera and BOOM, you’ve got access to immediate intel relayed instantly back to you in real-time.

Yeah, that’s the danger of social apps like TikTok and WeChat. They can be used to eavesdrop on anyone anywhere. You only need to give access to the camera and microphone and boom, they’ve got access anywhere the app owners wish.

Apple can thwart this possibility potentially, but only if they add some heavy restrictions for when and how these devices may be used. Like, for example, these devices can only be enabled when the app is the front most active app and the screen is on (i.e., the user is accessing the screen). Even then, access to these devices should always require positive confirmation to use them every single time. Without positive confirmation, these devices cannot be enabled remotely.

Otherwise, spying is already here. Nefarious apps can listen in on what you are doing without your knowledge. They may even be able to switch on the camera and stream video data back to whomever. Yeah, bad news here.

Malware

Many people think malware means software that intends to cause malicious harm to your device. It doesn’t only mean that. Malware covers a lot of territory including spyware, malicious software, ransomware and many, many other types.

Any type of software designed to subvert your device for someone else’s use is considered malware. Don’t limit your thoughts to only software that intends to erase or destroy data. It doesn’t end there. It begins there. It ends with any software of malicious intent, including any software that is designed to spy on you, steal your data, copy data from your device or attempt to get you to do things that might compromise not only your phone, but also your personal finances.

However, the days of overt malware are firmly over. Now we’re seeing a new wave of software that makes itself appear legitimate by offering seeming legitimate services, but which have malware belying that happy-go-lucky façade. It’s the software version of social engineering. They trick you in believing you’re getting a real legitimate app, but underneath, these apps are doing things they shouldn’t be doing.

This is a new wave of bad news rolled into one app. No one can know the ultimate intentions of an app producer. Hopefully and trustingly, we put our faith into the developers hands to “do the right thing”, to be upstanding and give us an app that does only what it claims.

Unfortunately, we’ve moved into an era that’s now firmly gone beyond this. If you’re getting an app from a U.S. developer, you can pretty much be assured that what the app says that it does, it actually does do… and nothing beyond that. That’s a given because U.S. companies must follow U.S. laws. With apps coming from China or Russia or Cuba or Vietnam or even North Korea (don’t kid yourselves here), you have no idea what their ultimate motives for producing that app are. Worse, they are not required to follow United States laws. Yeah, and that’s the problem in a nutshell.

Apple and Google’s trusting nature

These communist countries not only see the dollar potential wrapped up in these apps, but they also see the spying potential above the dollars. Not only can they divert U.S. dollars outside of the country to fund who-knows-what, they can steal your data and spy on you, too.

Why? Because Apple and Google are far too trusting and let them do it. They believe that developers will be good neighbors and not do untrustworthy things. Apple and Google are both trapped into believing that everyone will follow United States laws. Naïve! Unfortunately, that trusting nature is now being used against both Apple and Google… though, Google more than Apple by these communist countries. Google devices way outpace Apple’s devices in market share. In 2019, Apple’s devices made up just ~13% of the market, where Google’s Android devices made up a whopping 87%! Together, Apple and Google make up close to 100% of the market, with the small remaining percent running other mobile operating systems (yes, there are a few).

For Google’s saturation reason, it’s no wonder why malware authors are targeting Google over Apple. It’s a simple matter of low-hanging fruit. Google’s fractured stores and litany of device problems has led to where we are. Malware authors can have a field day with Google’s devices because they can take advantage of these tinier stores with much reduced release restrictions. It’s easy, then, for small indie developers to release malware onto Android… far too easy. It’s much more difficult to do this same thing on Apple devices. That is, until you realize exactly how developers are outwitting Apple’s far-too-trusting nature.

Once not-so-upstanding developers understand they can disguise malware underneath a legitimate service, they can then push that service out to app stores (with Apple’s blessing) and get people to use it, in similar form to TikTok. In fact, perhaps the app was even released without the malware to have the appearance of propriety (and to pass Apple’s initial scrutiny). Then, after enough momentum has been reached, the app developer can then slowly release updates containing bits of malware at a time. As far as I know, Apple doesn’t put the same level of scrutiny into app updates as it puts into new app listings. Apple’s hands off approach to updates means the author can slip bad features into updates under Apple’s and our noses and none will be the wiser.

Security Considerations

You always have to really think 🤔 about what apps you have installed and why you’ve installed them. More than that, you need to find out who specifically is developing your apps and where they are in the world. You might be surprised to find that the author doesn’t live in the country where you reside. If the author isn’t in your country of residence, they don’t have to follow your country’s laws for, well, anything.

Of course, you never know what an app author intends by writing and releasing an app. Even the money making aspect on the surface may not be the actual agenda. Hopefully, the app’s purported use case (making money) is the only reason the app exists. Unfortunately, subversion seems to be becoming more and more common in apps, particularly those that may not be developed in the same country where you reside.

For example, someone who develops an app in China doesn’t have to follow the laws of any other country than China. Meaning, if the app developer decides to include spyware, no laws will apply to that developer other than Chinese law. Even then, since they weren’t spying on Chinese citizens, they likely won’t be seen as having violated any Chinese laws… even when spying on citizens in other countries. Because the U.S. can’t apply laws to Chinese citizens, any spying that may have taken place is damage already done. The only action that can be taken is banning the app entirely from the U.S., just as Trump had wanted to do with TikTok.

Every mobile device user must remain on their toes. You can’t assume that Apple’s closed store nature will protect you from spying or data theft (all forms of malware). Apple is way too naïve for that. Instead, you must do the research yourself. Determine who develops an app you intend to install. Find out where they live in the world. If they live in a country where you do not, your local laws will not apply if the developer includes illegal activities in your place of residence. This means they can do a lot of nefarious things and never be caught at it, particularly if they live in a country like China.

If you want to safeguard your own data, don’t install apps without knowing where the author lives. No, not Android and not even on iOS devices. No, not even on… and especially not on company owned devices.

In this day and age of anyone and everyone who can design and build an app basdd anywhere in the world, we’ve firmly come to a time where our devices can be used to spy on us and those around us simply because we’ve installed a random app.

It’s now only a matter of time before government policies catch up with this technology trend and new laws begin emerging which intend to hold device owners responsible for treason when an app spies on and funnels data outside of your country of residence.

In answer to the article’s primary question. No, neither Google nor Apple is better at protecting our devices from malware. However, while the overt malware may be less common on Apple devices, Apple’s and Google’s trusting nature is now firmly subverting our devices for foreign spying activities… particularly when these apps are designed to intentionally use the camera and microphone.

↩︎

Tagged with: , , , ,

leave a comment

Marketing, Facebook & Data Privacy

Posted in botch, business, california by commorancy on April 14, 2018

FacebookLockHow is marketing related to Facebook and data privacy? These all fall under the same umbrella. Should you be concerned? Yes, you should be. Let’s explore.

Email Marketing

Let’s start with email marketing first, the precursor to social marketing. I’ve worked in the email marketing industry for the last 17 years at an operational level. I’ve worked on general email systems for over 25+ years. So, I fully understand at all levels how email and email marketing works and what is required to make it continue to work in today’s world.

Email marketing became a “thing” in the mid-late 1990s in earnest. Before that, people dabbled in email marketing to the chagrin of many early internet users. It was around this time that the term ‘spam’ was coined to denote unwanted / unsolicited email.

Over the years, email marketing has evolved into a big business with firms now utilizing marketing automation systems. These systems help you marketers manage their email marketing campaign efforts.

In the beginning, as a marketer, you had a list of emails and you sent content to those addresses. The content was the same to each user. There was no thought to personalization, tailored content or privacy of any of this data. Emails were sent using cron jobs via command line tools using Sendmail. This was initially the most basic form of email marketing. This would have been in 90s.

Evolution of Email Marketing

By the 2005, email marketing had evolved from its simplistic roots into more sophisticated systems using dedicated email marketing software from companies like Port 25 and OmniTI. These email server solutions facilitated the trend of building sophisticated marketing automation UI systems on top of these robust, fast, scalable and customizable email delivery systems.

By 2018, these underlying email softwares now include the ability to send push notifications to apps and also offer sophisticated clustering systems to allow for highly scalable, highly available infrastructure offering incredibly fast delivery times.

On top of these infrastructures sit today’s marketing automation solutions. These systems offer such features as list management, drip marketing, recipient nurturing, automagic feedback reporting and detailed reporting of how each campaign is doing.

List Management

Back in the early days, list management was a chore. You had to deal with adding and removing new entries yourself manually. In reality, few marketers ever practiced real list hygiene. Most would add new entries, but never remove people who didn’t want to see that content. It was just too much of a hassle culling through thousands of email addresses. This is why email marketing got such a bad rap. Marketer didn’t take the time to remove users from their lists.

As of today, it is now legally required to remove recipients timely from lists in most countries. If you don’t remove addresses timely, your company (and possibly even you personally) may be held liable for failure to remove an address.

If you use a legitimate email marketing company today (one that upholds legal compliance), they will automatically handle opt-out requests for every email you send. No need to worry about if you’re compliant as email marketing firms automatically add links to handle all of this for you, as long as you use their database.

Recipient Likes and Preferences

Email marketing has a huge drawback (well, two actually). The first and biggest drawback, the inability to understand the user’s likes and wants. There’s just no real way to get that level of detail out of a particular recipient simply because email interactions are so few and far between. You can’t get what you need out of email marketing to effectively target each individual user in a way that makes sense for their likes, product preferences, location and personal information…. at least, not without using more advanced features like drip marketing and advanced real-time feedback. Email marketing is typically just too hands-off for this type of experience. Enter the second problem…

Evolution of Social Marketing

The second drawback is that while email marketing today is still a very valuable form of communication, it is becoming old and dated technologically. Email clients haven’t been updated in a very long time, technologically and interactively speaking. Basically, the features that were commonplace in email by the late 90s are still the standards that we’re rocking today. In other words, email clients don’t support updated technologies like video and audio content right in the email. You have to click to a web page to see this type of interactive content. The best an email can do is an animated GIF, and that’s of little consolation when you’re wanting to offer much, much more interactive content.

In comes social media. Sites like Twitter and Facebook and Snapchat and, to some degree, even YouTube offer better ways to find like-minded folks and advertise to them. Marketers also have a lot of the same tools at their disposal, like list upload to find their existing users on Facebook. Unlike email which is pretty much a one-way system, social media offers two way interaction. People share their family information, their favorite products, their favorite restaurants, their friend information and so on. All of this sharing means more ways for marketers to mine that information about a specific individual. This information is, in fact, a gold mine for advertisers. It means that instead of the mostly one-way interactions and guessing with email, advertisers can now utilize the two way interactions of social media and find out what a user likes very quickly.

Amazon follows this trend with its own systems by targeting users with product ads that third parties purchase. It’s a way to target users with products and services the user is most likely to be interested in.

Of course, these are not perfect systems. There’s still a certain amount of guessing involved. Social marketing are only offering seemingly relevant best guess suggestions based on other people’s social and purchasing habits. However, social guesses at least based on actual data of purchase history and other shared information, rather than a near completely blind guess that email marketing uses.

Facebook and Privacy

In order for these suggestion systems to work, they must have enough information about your buying habits, what you already own, how many people are in your family, their ages, if you have pets, what car you drive and so on. The more companies know about your personal habits, the more they can target products that make sense to you. It’s a catch-22 though. The more they know, the more dangerous it is for you. Sharing your personal information means someone could learn about you and your habits and then steal your identity.

Enter Facebook. Facebook collects all of this data and more about you. They then mine this data on behalf of their advertisers. Advertisers submit their product(s) to Facebook for advertisement on its platform. The system then finds folks, based on their shared content and interests and displays an ad for a product you might be interested in. If you talked about cancer in a wall post, an ad might pop up for oncology services.

This heavily personalized advertisement system is a far cry from the old cold guess email marketing. However, social marketing was born from the idea of email. Email has now been trying to catch up and compete with this more interactive and interest-based advertising system. Unfortunately, email is firmly entrenched in the past. It’s great for individual communication. For predictive communication, email sorely lacks. Worse, it’s not likely to ever catch up in this area. Though, it’s still a good medium when combined with social marketing. Meaning, if you can mine people’s interests out of social platforms, you can then target them with products and services via email.

Data Privacy

Here’s where Facebook has failed time and time again. When someone uses a social platform to share information, it is expected that that information will remain private and only be shared with those folks whom have been allowed to see it. Or, more specifically, shared with people licensed to see it based on the agreed terms and conditions.

However, Facebook only offers a very basic permissions system. Extensive permissions systems have been available on operating systems for years. Yet, Facebook’s platform didn’t start out that way and still isn’t anywhere close. Facebook started with no privacy at all. Your data was published for everyone to see. As time progressed and people complained, Facebook added more and more user controllable permissions.

For each step that Facebook took, it consisted of tiny baby steps. They’d add incremental protection of that data, just enough to satisfy a single complaint. But, they’d leave plenty of other data exposed. As they would take more baby steps, they would implement one more control, then another, then another and on and on to where we are today. Instead of designing a system that offered robust privacy from the beginning, Facebook opted to build it piece by piece as they went along… sometimes backtracking in certain areas,

While Facebook’s user privacy controls were fairly robust by 2014 (user to user), Facebook still didn’t have much in the way of privacy when using its application programming interface (API). Developers could sign up and extract data via this API with far fewer boundaries. It wouldn’t be until later when Facebook, yet again, took another baby step that they would limit what developers could extract. By then, it was too late for Facebook to do anything about Cambridge Analytica, a company whose data brokerage business model is all about selling collected data.

Abuse

Email marketing has long recognized abuse to be a big factor in the industry. Handling abuse is what distinguishes good actors from bad. Sites such as Spamhaus exist to watchdog and prevent such email abuse and enforce industry best practices. While email marketers have had to grow much more knowledgeable about email marketing best practices, Facebook is entirely new territory for marketers with no such outside policing as Spamhaus. Even new email tools such as DMARC, DKIM and SPF have grown to help protect and legitimize the email marketing industry. Nothing like these exist for social marketing.

While Spamhaus helps to protect and prevent unwanted spam from random third parties, there is no such watchdog to protect your data from unwanted prying eyes within companies like Facebook or Twitter. With email abuse, there are also organizations like MAAWG to also help manage that email abuse. Again, there’s nothing offered on Facebook, except whatever Facebook decides is necessary. You’re at the mercy of Facebook to give you those tools, and currently their solutions are limited and swayed entirely to Facebook’s best monetary interests.

On the one hand, most people are very protective of giving out their email address to random people. Yet, on the other these same folks are completely willing to log into Facebook, Instagram, Snapchat, Whatsapp and Twitter and give up their every day lives, their pet’s name, their employer, their spouse’s name, their location and sometimes even their phone number, email address or other personally identifying information (PII). Worse, Facebook now requires the use of what appears to be a valid First and Last name, though you can put any data you want into those fields and there’s no way for Facebook to verify this. Other social platforms don’t require this. This Facebook requirement ensures the lack of privacy and that users can be targeted by outside third parties. It also ensures that data can be e-pended by outside parties.

Abuse of email has real tangible penalties behind it. Abuse of social networks only has a single company behind it, like Twitter or Facebook. There are no industry standard watchdog groups out there helping guide marketing organizations towards best practices. In fact, such a watchdog group couldn’t really exist because, unlike email, there are no sanctions that could work to stop bad actors short of asking their ISPs to stop routing traffic for those companies. Such a move would likely be met with a huge legal backlash from the company. After all, the ISP did sign contracts to supply service to Facebook. If they cut off peering to them, Facebook would have them for legal lunch. Nope, there’s no sanction against a company like Facebook that could work. Not even a lawsuit could be all that effective.

Instead, these unstoppable organizations are in it to make money off of your data. For this reason, this is why companies like Cambridge Analytica can come to exist on Facebook and steal 87 million (or more) users’ data. This is why there’s nothing Congress can do to Facebook. No laws means nothing to enforce. The only thing Congress (or each state) can do is enact laws to protect each person’s data and force Facebook to become legally compliant with those laws. Of course, Facebook might face other laws they could have run afoul, but because the US has no real data privacy laws, there’s nothing here to enforce… even with companies like Cambridge Analytica.

Protecting Your Privacy

Only you can protect your privacy and your data. You can’t leave it to companies to do this for you… particularly if you live in the United States. If you want to share everything you do with the world, then you can’t easily protect your privacy. Note that even if you never put a single piece of personally identifying information online, you still may have shared enough other minimally identifying information that when put together, someone can eventually identify you.

For example, if you visit Starbucks every day to take a photo of your coffee cup each morning, someone could find that particular Starbucks and stalk your movement there. They could hear you give the cashier your name or other personal information. They might listen for your name to be called. They might bump into you intentionally to make you drop your stuff. They might watch you get into your car and take down your plate number. They might even follow you home. This is why sharing your everything you do online can be dangerous.

Even if you never give your real first name, last name, address, phone number or other information, you (or your friends) may have shared enough photos, locations and friend information to eventually identify you. This information isn’t considered personally identifying information alone, but when pieced together, it is. With enough data pieced together, someone might find out who you are, where you live, your address and possibly even your phone number… maybe even other data such as SS#, CC# or anything else were they to obtain some of your mail.

This is, of course, all made worse by companies like Facebook that don’t take data privacy seriously and only produce half-baked “security theater” mechanisms designed to look like they protect you, but that in reality they don’t. You’re continually putting your data into the hands of folks like Mark Zuckerberg who has, time and time again, shown that his platform cannot be trusted to store personal data.

Security Theater

While email marketing now has a robust set of industry checks and balances, technological measures, industry watchdogs, laws and best practices… social marketing offers very limited controls. The reason for this 1) it’s so young, 2) it doesn’t interact with third parties like email and 3) Systems like Facebook won’t offer such controls. Email must interact with many unrelated parties along the way to get your email to an inbox. Social marketing has a captive audience inside a single platform operated by a single company, whether inside of Twitter’s network or Facebook’s network or whomever.

This means that while email marketers must comply with laws, technical standards, best practices and other data collection and use controls, sites like Facebook face far fewer data handling laws. This means that your data is effectively open to the highest bidder. Yes, Facebook claims to have taken strides to help protect and safeguard your personal data, but you don’t know if that’s true or not. No one audits Facebook to make sure these claims are, in fact, true.

With email marketing, it’s crystal clear when a customer uses an inappropriately collected list. With Facebook, there is no way to know whether your data has been appropriately or inappropriately used because Facebook gets to make the rules. Rules that can change one day to the next.

I’ve worked for enough high tech companies to know that most companies create lot of security and data privacy theater in place of actual mechanisms. Meaning, they state in their policies that they do something, but the technological measures to back up those policies don’t always exist. This facade, otherwise known as “theater”, is what let’s companies get away with policy breaches unaware. It’s usually driven by a case of “Easier said than done”. Implementing technical measures to enforce a policy isn’t always easy, particularly if said data is terabytes in size. Instead, companies perform it on a case-by-case basis. It also might take them weeks to complete the task. The policy is may be written into the legal terms and conditions. However, when a customer actually wants to know if that policy is enforced, the company will then manually enforces that policy on that person’s data, assuming they even give you an honest response to your question.

You’d be surprised to find that this situation happens a lot more often than you might be aware. Even many legal teams are unaware of this situation in their own companies. They think that what’s in the policy is always carried out every time. In fact, that’s not true much of the time. This is simply because legal teams rarely carry out internal audits to ensure that written, published policies are being followed internally. Even then, some legal teams are both aware and complicit in allowing the technical teams to not follow the policies to the letter.

I would also be remiss by not mentioning that some legal teams write data policies without informing the necessary internal teams of the policy changes or additions. Without buy-in and support from the appropriate technical teams, the written word can’t always be translated into functional technical procedures. This means that the legal team is out of step with what is technically feasible. Legal teams should always propose and write policy in conjunction with the teams that must support those policies. As a lawyer on an in-house legal team, you can’t just write policy because it sounds good and then assume it can be implemented easily. That doesn’t always work. Hence, security theater.

Data Deletion and Right to be Forgotten Laws

Here’s the outcome of security and data privacy theater. If you request a company to delete your data, you won’t know if your data has been irrevocably deleted. Many companies hang onto long term backups for exceedingly long periods of time. This means that while your personal data may no longer exist on a live hard drive and may not longer be visible via a web interface, it could still exist on a long term data backup solution the company uses. It might even exist via an API system. Note that some data backup solutions exist on live disks, such as using the Cassandra or Elastic database system or even such reporting systems like Splunk or Elastic’s ELK. Some of these internal systems may never or rarely get purged. Even basic text log files, which may contain some or all of your personal data, may be retained for years due to Sarbanes Oxley and other data retention requirements.

Early in the life of email marketing, you might not expect to be unsubscribed. Today, laws require email marketers to remove your email address from their list within 10 days. The word remove is subjective. The actual term is unsubscribe. Even after unsubscribing, the company can continue to hold onto your email address in their database so long as they never email you. In fact, an opt-out request is simply to unsubscribe you from their mailings. It doesn’t ensure your email address will be deleted from their list. This is how your email address can accidentally be mailed again in the future despite a previous opt-out request.

Data deletion has no laws in effect in the US. US companies are not obligated to delete your data even if you so request it. They can leave it on systems within their organization. This, unfortunately, leaves your information vulnerable to data breaches by unauthorized persons. This is why you can request a company to delete your data and later find out your data was involved in a data breach years later. Or, you may find identity theft from a data breach where you had asked a company to delete your data. There are no laws that require companies to delete data when requested… at least, not in the United States. In the UK and EU, the right to be forgotten laws have been written and will apply to UK and EU citizens under the GDPR. Whether those laws continue to exist after Brexit in the UK, I’m unsure. Canada appears to be working towards (or has enacted) a similar data purge law for its citizens.

However, no such ‘right to erasure / right to be forgotten’ law has been enacted in the US. Companies in the US are still free to store and keep your personal data for as long as they see fit. Yes, even after your deletion request. This means that your data is still at risk of a data breach, even after you’ve requested Facebook, Snapchat, Whatsapp, Instagram, YouTube, Google or Twitter to delete your data. US companies are just not obligated to irretrievably delete your data. Even in the EU, the laws may not fully protect you from irrevocable deletion of your data. Meaning, it may be enough for a company to actively delete visibility of your data on their web site, but that doesn’t ensure irrevocable erasure from all media in that company’s possession. Worse, as long as that data never surfaces in the future, that company can hold onto it… even if they are considered ‘breaking laws’. The only way to make sure irrevocable deletion occurs is by adding incredibly stiff penalties when the laws are willfully broken.

Social Networks and Marketing

Facebook, Twitter, Instagram, Whatsapp and more bank on their ability to collect your data, store it and use it freely. As long as you digitally agree to their terms and conditions regarding their data collection and use, then you have little recourse against them when a situation like Cambridge Analytica occurs.

In email marketing, selling of lists has been taboo for years and has always been considered an email marketing dubious practice. In fact, list purchasing is considered one of the worst email marketing practices. In Social Marketing, no such rules have been laid down. Facebook has been hitting these walls one-by-one since at least 2008. Each time, they put up yet another road block to stop that particular practice (aka, baby steps). Facebook doesn’t want to stop these practices, they’re just forced to by public outcry, the media and the government each and every time.

They knee-jerk by enacting new policies each time, but only because of duress. Policies, I might add that email marketers have been adhering to for years. Policies that now have laws like the CAN-SPAM Act and individual state laws. Yet, here we are again, reliving this same abuse pattern over again in another form.

Marketing Today

Marketers have always wanted to do the least work possible and gain the most money from their efforts. That’s the whole reason email marketing exists. That’s the reason advertising exists. They want to create the most effective campaign and Facebook allows them to do this with their personalized marketing.

Cambridge Analytica took that one step further. They mined Facebook’s data and stored it in their own offsite database. A database that Facebook claims they thought had been deleted. They then combined that data with other data to create an even more comprehensive profile of each person. Yes, even more comprehensive than Facebook alone. If they had first and last name along with at least one piece of identifying information, they could have gone to LexisNexis and gotten even more identifying information. Who knows, they might have?

Marketers today are looking for the easiest way to target ads to the people they need. Hence, the reason Cambridge Analytica can even exist as an organization. There are many, many data brokerage services available to buy list and user data. Data that can be populated into databases and targeted with ads. Most of these outside brokerage services sell with the intent of using email marketing, but there may be more today that are using Facebook to present their ads. Cambridge Analytica is but one in many data brokerage services that exist on the Internet. You can bet many others also exist and may have taken advantage of Facebook’s situation, just the same as Cambridge Analytica.

That Facebook claimed to believed that a data brokerage service, whose sole business is in selling data, would ever delete data they had legitimately collected from Facebook is entirely naïve and disingenuous. Facebook had to have known the business Cambridge Analytica was in at the time they were extracting data from the platform. One only needs to visit Cambridge Analytica’s web site for a few minutes to understand their line of work. Even then, if you weren’t certain, you could certainly pick up the phone, call them and ask what it is they do. Companies are always eager to talk about their line of business, particularly if they think they’re about to make a sale.

Ad targeting is not going away and is only likely to grow as artificial intelligence systems grow. The data privacy issue will continue to be ever more important as time goes on. To protect yourself, you must ask yourself, what should I share and what should I not? For example, publishing a single cute puppy or kitty photo or video is probably fine. However, many cameras today also add EXIF data to store location data and possibly other information about where and when photo or video was created. Data that might be used to link you to that photo. However, taking a photo every day of your cup of coffee might reveal things about the location that you visit (names, people, location identifiers, etc). These are things when you need to be cautious before posting. Even if the photo appears innocuous, you might want to think twice because someone else might see something that you don’t see.

Social platforms, while fun, are big business for their owners. Don’t be fooled into thinking it’s all fun and games. Those games and fun have a price to pay. That price is what they get to do with your user data. As has been said, if the service is free, you are the product… or more specifically, your data.

Tagged with: , , , , ,

leave a comment

%d bloggers like this: