Is It Your Smartphone That's Addictive — Or Your Apps?

The recent spate of articles on the topic of smartphone addiction reflects growing concerns about our reduced cognitive capacity, increasing loneliness and depression, and our diminishing ability to control where our attention is focused—all attributed to the increasing amount of smartphone screen time in our daily lives.

Our daily smartphone use in the U.S. has grown to over 4 hours per day, according to eMarketer. And in the details we see that the vast majority of that time is due to our use of mobile apps. It's not the smartphone that's addictive, but the apps—which are specifically designed to keep us engaged, and by that they mean using their apps for longer so that the stalker economy can profit from our attention.

Make no mistake: Apps such as Facebook, Snapchat, Instagram, WhatsApp, and Twitter employ an economic model that's tied to keeping your attention on their app (despite what their marketing departments say about connecting people). That's for two reasons: first, to serve us more ads; second, to surveil us for longer so that companies such as Acxiom, Epsilon, Datalogix, RapLeaf, Reed Elsevier, BlueKai, Spokeo, and Flurry can collect more data about us.  These companies are players in the $156 billion per year data surveillance industry— an industry that exists so that marketing companies can serve us the best ads, depending on dozens of factors including where we are at any given time. Usage patterns, what other apps we use, and how we use them allow marketers to determine our gender, profession, marital status, sexual orientation, income level, age, health conditions, and other personal characteristics. Flurry, for example, identifies app users based on their persona such as Business Travelers, Pet Owners, and New Moms, among many others.

Enterprises in the U.S. don't worry all that much about protecting employees' privacy. But they are concerned about employee productivity, and ensuring that—unlike Homer Simpson in the cartoon above—their employees focus their attention on the job at hand. That's why Facebook is one of the most common apps for enterprises to blacklist. Other approaches to eliminate employee loss of attention include adoption of container strategies such as Android Enterprise and Samsung Knox so that employees can only use work-related apps while they're at work.

But employees resist corporate attempts to control what apps are on their devices, and containers' adoption is slowed by ease of use and other concerns. What other options exist for enterprise mobile security?

As we outlined in a prior post, any mobile security approach for enterprises that requires users to delete apps from their devices will be subject to resistance from app-addicted employees. That's one reason why Mobile Threat Defense (MTD) solutions face deployment headwinds. And unless app policies are developed in a strong partnership with the HR department, and employees agree to such measures as a condition of employment, enterprises will find it very challenging to enforce any but the most egregious security concerns regarding employee-owned devices.

Instead, enterprises should investigate a lightweight approach to mobile security that's transparent to employees but which has the ability to prevent operation of enterprise-selected personal apps while the employee is at work. But every day when they leave the workplace, their apps are re-enabled and will work normally while the employee is on personal time and away from the office. That's the security model that has served enterprise laptops for the past decade, and it's a logical separation between work and personal use of mobile devices.

______________________________________________________________________

Note: Many of the ideas explored in this post were stimulated by two books: Future Crimes: Inside the Digital Underground and the Battle for Our Connected World, by Marc Goodman, and The Attention Merchants: The Epic Scramble to Get Inside Our Heads, by Tim Wu. I am indebted to them both.

"Modern computing security is like a flimsy house that needs to be fundamentally rebuilt"

Image courtesy NY Times

Zeynep Tufekci has an interesting take on the latest cyber security news in her column entitled The Looming Digital Meltdown. The money quote is this: "Modern computing security is like a flimsy house that needs to be fundamentally rebuilt." Her focus is the chip-based vulnerabilities disclosed last week, but she's talking about cyber security in general. And her point is hard to argue with.

Tufekci has been thinking both deeply and broadly about these topics for quite some time. She's the author of Twitter and Tear Gas: The Power and Fragility of Networked Protest, and her TED talk "We're building a dystopia just to make people click on ads" gets right to the point about the economic incentives that enable the Internet's stalker economy.

The theme of Tufekci's column is that vendors, driven by consumer demand and the frenzy to be first to market, have sacrificed security for speed and convenience. She rightly asserts that this is a solvable problem--and maybe would have already been solved if we simply held our vendors accountable (as we do with airplane travel, for example, or with consumer products).

But I think users have been complicit. By users, I mean people who use Facebook, and who buy smartphones, and who are inevitably attracted to "free" apps and services. I put the word free in quotes because the cost is real but not always evident. The stalker economy, which leads to exploits such as ADINT where by using the same techniques available to advertisers one can easily track friends, relatives and even strangers. We've ceded this power to the technology providers in order to have easy access to social networking apps and other "free" services.

And profit-driven technology is proving more powerful than traditional safety systems. Witness the fact that Uber Can Find You but 911 Can’t. Would we ever have designed such an outcome consciously?

Maybe there's hope on the horizon: Mark Zuckerberg says one of his goals for 2018 is to fix Facebook.

Meanwhile, here on earth, we're left to live with the chip-related vulnerabilities (known as Meltdown and Spectre). There's much hand-wringing that the proposed fixes will slow our systems down--maybe by as much as 30%. But MIT has developed an ad-blocking system that improves web page download times by up to 34%. That sounds like a fair tradeoff to me.

Protect Mobile Protects Consumers--and Enterprises?

Deutsche Telekom announced a new service yesterday called Protect Mobile. How it works can be summarized by their headline: Security is now a job for... the network!

The service, developed in collaboration with Check Point Software, provides protection against network-based mobile threats. Here's a brief description of the service:

Protect Mobile protects smartphone owners from Internet dangers at home and abroad: the protective shield in the Deutsche Telekom mobile communications network identifies and deflects viruses, worms, and trojans automatically. In addition, Protect Mobile blocks dangerous websites within the Deutsche Telekom network. Apps are checked for security issues before they are downloaded. Whether during online banking, surfing the web or on social networks, with Protect Mobile, users are effectively protected against cyberattacks both on the go and in their home Wi-Fi network.

The protection is performed by the network upon enrollment (for under a euro per month). A mobile app, available from the App Store (iOS) and Google Play (Android) complements the network protection by displaying error messages, warning of risks and providing specific instructions regarding what the user should do in case of an error or a threat. Once the user is outside of the Deutsche Telekom network, the app provide on-device protection and raises alarms in case of threats and identifies them transparently. The primary goal of the app was ease of use.

This seems like a reasonable approach to providing mobile security across a broad swath of users. The security is strongest when using the Telekom network and the home Wi-Fi network. Presumably, protection when using non-Telekom Wi-Fi networks, such as in coffee shops, hotels, and airports, is provided via the Protect Mobile app. For most consumers, other than those who might be targeted by an attack, this level of protection is adequate and would prevent most mobile-based consumer threats such as financial fraud, ransomware, and identity theft.

But for enterprises within the Deutsche Telekom coverage area, if all of an enterprise's employees used Protect Mobile, it would provide relatively strong protection against most network- and device-based attacks. Does this constitute enterprise-class mobile security? Not exactly. As we've pointed out here, here and here, the stalker economy and data leakage are app-based threats--not network or device. Those kinds of threats put enterprise data at risk. For comprehensive protection, an enterprise would have to add protection against app-based threats to protect their data--and also to prepare for GDPR compliance in May.

ADINT: Do It Yourself Surveillance

"If it's free you're the product." Most of us have heard this meme often enough, and have a vague understanding that it relates to online ads. But when most of us think about online ads, we think about the occasional annoyance of having to scroll past or otherwise ignore an ad—doing so is assumed to be the price of free online services, and it seems a small price to pay.

If only it were so simple.

Researchers at the University of Washington published a paper at the ACM Workshop on Privacy in the Electronic Society entitled "Exploring ADINT: Using Ad Targeting for Surveillance on a Budget." The subtitle is "How Alice Can Buy Ads to Track Bob." Yes, it's as bad as it sounds. The authors point out that for as little as $1,000, someone can use targeted ads to track the location of specified individuals. The mobile advertising infrastructure allows any attacker with modest means to to "know where the target goes, where they live, and other sensitive information such as what apps they use". Knowledge of what apps are being used can be considered sensitive for a variety of reasons, including mental health conditions, diabetes trackers, dating apps (which can indicate relationship or sexual preferences), political affiliation apps, and religious and church apps.

As I've pointed out before, most people think it's a reasonable trade-off to allow ads to be shown in order to get apps and services for free. But in order to deliver those ads, the ad networks need to learn as much as possible about all of us, so that advertisers know whether it's worth paying to target an ad to any of us (and when and where it should do so). Advertisers have enabled what we can refer to as a stalker economy. If you think it sounds creepy, you're right. And it's also ubiquitous, part of the background noise of being a mobile-phone using netizen. 

This is how Alice can buy ads to track Bob. But what is meant by "ADINT"? The authors invented this term, and I think it's a good one. Whereas the intelligence community refers to human intelligence as "HUMINT" and signals (electronic) intelligence as "SIGINT", the corresponding term for advertising intelligence has been coined by the paper's researchers as "ADINT."

Most of the focus on mobile security has been around malware and network attacks that deliver malware. But malware is rare, whereas the stalker economy, or ADINT, can affect us all. In my previous post, I noted that mobile devices send considerable amounts of data into the cloud, which is to say the data is now in the wild—outside of our ability to track and control it. ADINT represents another threat vector regarding the digital exhaust of our mobile devices. This should worry us.