1. TEKDESK
A Division of COIN:
The Community Protecting Your Privacy
Opportunity &
Innovation Network
www.tekdesk.org
www.coin-ced.org
Made possible by a
grant from the Office
of the Privacy
Commissioner of
Canada
http://www.priv.gc.ca
2. A smartphone is a cell phones that can
connect to the internet and run a
number of programs called apps
chosen by the user.
Smartphones have reached about half
of the Canadian market. Their market
share is only expected to increase.
Smartphones store a lot of personal
information: your address
book, email, Facebook and more. Lots
of apps need or want personal
information. This can threaten your
privacy.
3. Smartphones have operating systems just like computers.
In Canada, the most common are:
iOS, used for Apple’s iPhones and iPads.
Android, used for smartphones and tablets from many
different companies.
BlackBerry OS, used for RIM’s BlackBerry phones.
Windows Phone, used for certain smartphones from various
companies, particularly Nokia.
Software developers create programs – apps – for each
operating system. Manufacturers list them at online stores
you can download them from. Some are free, some cost
money. Apps include games, Facebook, Twitter, special
messaging programs and even lightweight versions of office
software.
4. Physical: If
someone gets a hold of your
phone, they might be able to access your
personal information.
The User: You might mistakenly share your
information over the internet using your phone.
Software: The app may be designed to share
your personal information in some way you
don’t want.
In additionto these, you may face High Security
Situations where you should turn off your
phone and if possible, remove its battery.
5. Cyberbullying: If you are in danger of being
bullied, your private information can be used to say
hurtful things to you or an online audience.
Cyberstalking: Your personal information could be
used to track your movements and actions to harass
you.
Identity Theft: This is a form of fraud where someone
pretends to be you for financial gain, such as using
your credit card or getting loans in your name.
Human Rights Violations: Your private information
may be used to commit a human rights violation.
Stress: Privacy loss is a stressful event, no matter what
happens. Do not underestimate the effects of stress.
6. The formula:
Technology knowledge + common sense = security!
You probably already have the common sense –
it’s just the technology you’ll need help with.
Let’s talkabout the ways we can protect against
privacy threats that might come up through these
three avenues.
We’ll alsotalk about some general best practices
to protect your privacy.
7. To use a smartphone responsibly, you need to strike a balance
between your privacy needs and ease of use.
The best way to keep an app or other feature from damaging
your privacy is to not use it, deactivate it, or remove it.
If you use your phone for work, ask if the workplace has any
policies you should be aware of.
Assess your privacy needs:
Do you plan on using your smartphone for work or financial
transactions?
Do you regular look at sensitive information?
Are you responsible for dependents? You need to safeguard their
privacy as well as your own.
Are you likely to face privacy-related threats such as
harassment, stalking and identity theft?
In this course we will highlight essential privacy safeguards with
red text. Do more if you need to.
8. Physical security protects against
the dangers of
someone getting a hold of your phone.
This couldbe someone stealing your phone or
sneaking a peak while you’re asleep, distracted or
elsewhere.
9.
10. Jane leaves her purse at her table while she gets a
refill for her coffee. A man on the way out grabs
the phone right out of her purse. He uses her
Facebook and email to trick Jane’s friends out of
money by pretending to be her.
Tony does not feel safe with his partner, but they
still share the same apartment. He has been
planning to leave. After his partner turns on Tony’s
phone, he reads email Tony sent to friends about
the situation.
11. There are three appropriate places for your phone:
1. In a pocket of something you are wearing right
now.
2. Within arm’s reach.
3. At a set location in your home or another secure
area.
12. Your phone has a lock screen: a screen that comes up
before you use the phone for anything.
Your lock screen should always be password protected
to prevent peeking.
There are multiple types of “passwords” to choose
from depending on the phone, like standard
passwords, swipe passwords and face recognition. No
matter what you pick, you will always be asked to have
a standard password as well.
Some phones offer a default 4 character password.
Look for an option that lets you use a longer, secure
password.
13. Your phone should never be sold, traded, or disposed of
without wiping all of your information first.
This is true even if you’re throwing the phone
out, returning it you the carrier, or giving it to a family
member or close friend.
Remove the phone’s memory (SD) card. Do not just delete
its contents, as these can be recovered. Check with your
carrier about deactivating the phone’s SIM card.
Every smartphone can be “factory reset:” returned to the
condition it was in when originally purchased, with no
personal information beyond a phone number. Do this (or
have someone do it) to every phone you plan on getting rid
of.
Removing the phone’s SD card does not take the place of
resetting the phone. You must remove the card and reset
the phone.
14. Report a lost or stolen phone immediately! Your
carrier may be able to remotely deactivate it.
If yourphone is a popular brand (such as an
iPhone) pick a case that changes its shape, and
use headphones or ear buds of a different brand
than your phone.
If you
feel confident doing so, take a look at
software that may help you track a stolen
phone, such as Prey: www.preyproject.com.
15. Knowledge is your best defence against privacy
threats. Do you know what your phone does? Do
you know the information your apps send? Does
your carrier offer any services that could threaten
your privacy?
Even tech-savvy people run into problems.
16.
17. Carrier Services: Does your carrier offer services
that can be used to spy on you?
Apps: Are you accidentally using app features that
share private information?
What You’re Saying: Are you texting or posting
anything on social networks that could be
dangerous to your privacy?
18. Bob posts publicly on Facebook that he just got
home. He doesn’t know that his post includes his
physical location, which he accidentally allowed it
to add.
Mary goes to a shelter. Her abusive partner finds
her location via the Rogers Phone Finder service
they were registered under. This pins her phone’s
location on a map. He tracks her down.
John mentions on Twitter that he’s going on
vacation for a week. When he returns, he finds his
apartment has been robbed. The thieves knew he
was away.
19. Bell, Telus and Rogers all provide services that allow
people to track the locations of their own phones, and
sometimes others.
Bell Seek and Find
Rogers Phone Finder
Telus Asset Tracker (Business)
For the best security, make sure your phone cannot be
tracked by these services. Contact your carrier and look up
these services online.
Other carrier services include the ability to look at texts
and perform other functions on a distant phone from your
computer. If you use these services, never share your
password. For best protection, don’t use them!
20. Learn about the apps you use. Some of them have
features that let you share private information – you
might do this accidentally.
Facebook is the app/service people accidentally share
information with the most. For example, it allows you to
add your location to almost everything you post, and nags
you to do it. It also allows you to enter your phone
number, which can be harvested by your friends’ address
books.
Look out for location/GPS features as well. They may add
location listings to your posts, or add location based
metadata (information that appears with a file) to
pictures.
People are especially prone to accidentally sharing private
information with social media and messaging apps.
21. Even ifyou master your apps’ risky
features, there’s always the danger of sharing
information through your own words and pictures
that could damage your privacy.
Be especially careful about posting your
location, family information and anything that
could reveal financial information, such as the
bank or credit card you use. Most people would
never post their credit card or bank account
numbers, but you should also think twice about
posting the bank or credit card brand you use.
22. Apps on your smartphone require permission to
use certain files and capabilities on your
phone, such as your address book (or contacts) or
your camera.
Some apps ask for permissions that could threaten
your privacy.
23.
24. Carol
downloads a messaging app. It
automatically emails all of her address book
contacts to let them know she’s using it, but her
contacts include a former harasser who she had
an email conversation with two years ago.
Farooq uses a blogging app to write anonymous
articles on politics. Advertisers use this
information to tailor ads on websites. When he
surfs the web to do research at work, his
supervisors notice that the ads he encounters
reflect his politics.
25. By default, apps can only run in their own little section of
the phone’s system, called their sandbox.
An app that can only use the sandbox would be pretty
useless. A web browser app needs to use the internet, and
an app that lets you add filters to your pictures may need
your phone’s camera, photo gallery, or both. Letting an app
do this gives it permissions, so that’s what these features
are called.
If an app needs permissions, you normally have to give
them to use the app properly, or you are assumed to give
them if you download it.
Some apps ask for permissions they don’t really need to
function so they can promote themselves, send data to
advertisers or track user behaviour to improve themselves.
A few apps are malware – they steal information or change
how your phone works for malicious or criminal purposes.
26. They share information you don’t want to share.
They perform an action that compromises your
privacy.
Some of them enable true malware designed for
criminal activities, but most of these problems
come from incompetent or greedy app
development.
27. In 2012 The Office of the Privacy Commissioner of Canada
funded a Tekdesk project to research the privacy effects of
smartphone apps.
Our initial research of the literature indicated the following:
Many users don’t understand smartphone permissions, and
don’t pay much attention to them.
Free apps were much more likely to possess questionable
permissions than paid apps.
In many cases, the problem isn’t malware, but app developers
getting sloppy. To make it easy on themselves, they ask for wide
ranging permissions.
App developers have also taken security shortcuts. For
example, some apps uploaded contacts without encrypting
them. This might allow a hacker to intercept that information.
In some cases, the permissions you see don’t match what an app
actually does. For example, in one court case, the plaintiff alleges
that her Windows Phone device continued to transmit location-
based information after she specifically disallowed that
permission.
28. Phase 2 of our research looked at the permissions requested by
the top 50 free and paid apps for the four major smartphone
platforms, according to their app stores.
We discovered the following:
Android and Windows Phone apps from their official stores tell you
permissions before you download. iOS and BlackBerry apps don’t. iOS
only provided standardized permissions for push notifications and
location-based services.
As of December 2012 the BlackBerry OS lets you change virtually any
permission. For others, you are mostly restricted to changing location-
based services.
Developers tend to ask for standardized sets of permissions, no
matter the app. For example, every single BlackBerry OS smartphone
app allows access to email, organizer data (calendars
contacts), files, and security data by default. This may allow problem
apps to conceal themselves as “wolves in sheep’s clothing.”
Virtually every app requests local network and internet access, even
when the app doesn’t have any obvious use for it.
29. Each mobile operating system has a different method of
listing permissions, and different permissions categories.
Android: Read permissions in the Google Play app store or
website before you download.
iOS: You need to download the app first. The app will ask
for some permissions. Others require you to take a close
look at what the app does. Go to Settings to see some apps’
permissions, such as permission to use push notifications.
BlackBerry: You need to download the app first. Look at the
app under Options>Device>Application Management in
BlackBerry phones made before 2013.
Windows Phone: The Windows Phone Apps+Games Store
lists permissions for apps. Read them! In addition, after you
download the app may ask permission for some
functions, such as location-based services (GPS, Wi-Fi
triangulation).
30. Every operating system describes privileges in a
slightly different fashion, but they’re all talking
about basically the same things. Some
permissions are no big deal, but a few require
your close attention because if they’re misused by
the app, they can compromise your privacy.
When you see a suspicious permission, ask
yourself if the app really needs that to function.
Remember that some apps are ad-supported, and
have extra permissions for that reason.
31. Address book/contacts and calendar: Legitimately used
for messaging, calendar and some social media.
Otherwise, do not allow.
Geolocation/location-based services: Legitimately used
for navigation, mapping and some social media
(Facebook, Foursquare). Some apps (such as weather) also
give custom content based on location, but should not
need to know your fine, GPS-based location – just your
general area.
Camera: Only apps that use your camera or affect photos
need this permission. Otherwise, it can be used to take
photos without your permission.
Phone calls and texting (SMS/MMS): Legitimately used
for some messaging apps. Otherwise, it can be used to run
up charges on “premium” phone calls and texts.
32. In order of importance:
1. Research before you install. Google it!
2. Look up permissions as soon as you can.
3. Ask yourself: “Does this app need this permission?”
4. Read the app developer’s privacy policy. There
should be one for every app that has access to your
personal information.
5. Disable any permissions you don’t need, if you can.
6. Uninstall apps you no longer use.
7. Back up, wipe and restore your phone periodically.
33. The most common way to get apps is to download them from
official app stores for each operating system/device.
There are alternative app stores out there. For some phones
(especially iPhones), you need to void your warranty by adding
the ability to use them. For iPhones, this is called jailbreaking.
Official app stores use some safeguards against malware and
security risks, but apps often get past them. Alternative app
stores do not have these guarantees.
It’s also possible to install apps from your PC or through an SD
storage card. This is called sideloading. Sideloaded apps may or
may not be safe, depending on the app, but there are no
guarantees.
Alternative app stores and sideloading are not recommended for
most users.
Just because an app comes from an official app store doesn’t
mean it’s automatically safe.
34. Some jobs and other circumstances create high
security situations where you should take every
precaution against privacy breaches and
surveillance.
Examples of high security situations include:
Work that brings you into contact with people in crisis.
Visiting a shelter for individuals coping with violence.
Any time you believe there would be a serious threat
to your privacy, and you are not sure how to protect it.
35.
36. Zenia is staying at a shelter to escape a violent
ex-partner. Her partner secretly installed tracking
software on her phone. He activates it. The
software doesn’t leave any sign that it’s active.
He uses the phone’s location to track her down.
Zenia turned off the phone’s GPS, but the
software used Wi-Fi triangulation as well, and it’s
good enough to find her rough location.
Jeff works at a youth shelter. A shelter resident
steals Jeff’s phone, and not only uses the phone
to arrange a drug deal (which may get Jeff in
trouble) but gets enough of Jeff’s personal
information to harass him later.
37. Your phone must be completed powered down to be
truly turned off.
It is not off when the screen is dark and you’re not
using it. It’s on standby. This is true even if you have
set your phone to be silent or block calls and texts.
Some apps and hacking techniques can be used to use
your camera and microphone, or read information
from your phone (including location) while your phone
is on standby.
Some phones cannot be completely powered down
even when turned “off” according to the device’s
settings. You must remove the battery.
38. Ask about cell phone policies for that site or job.
If they recommend additional steps, use them. If
they don’t, take the other steps anyway.
Power down your phone. Hold down the power
button and select the option that shuts down
your phone.
For extra protection, remove the battery if you
can. If you can’t, consider leaving your phone in a
secure location, away from the high security
situation.
39. If you will regularly enter high security situations, consider
getting a dedicated phone to use when they arise.
Some jobs offer these phones to workers.
For the best security, this phone should not be a
smartphone. If it is, it should contain virtually no non-work
information—don’t use it for Facebook, for example.
The most secure option is a prepaid/pay as you go phone
that is not registered under your name.
Use this phone for communication in high security
situations, such as talking to clients or calling in and out of
facilities.
Do not enter any private information in to this phone, and
limit communication with private life connections to
emergencies only.
In situations like this, it is perfectly reasonable to carry two
phones.
40. Threats to your privacy come from losing physical
security (someone gets their hands on your phone),
user actions (you do something to release private
information) and software (the app does something to
release private information). Some high security
situations require additional precautions.
Don’t let your smartphone out of your sight!
Learn about your carrier, smartphone, and apps.
Just because your friends and family aren’t concerned
doesn’t mean you shouldn’t be. Everyone is different.
Technology knowledge + common sense = security!
Keep learning and thinking.
41. To protect your smartphone’s physical security:
1. Keep your phone by your side or in a secure location at all times.
2. Use a password-protected lock screen.
3. Wipe your phone with a factory reset and wipe/remove the SD card before
you get rid of it.
To prevent yourself from accidentally sharing information:
1. Study the apps you use for features that share too much, such as GPS
location.
2. Don’t post sensitive information, especially about your location or finances.
3. Make sure you cannot be tracked through carrier services.
To prevent apps from breaching your privacy:
1. Research apps online before you download them.
2. Look up their permissions to see if they want to do something they don’t
need to do.
In a high security scenario:
1. Completely shut down your phone. For extra protection, remove its battery.
2. Use the strongest combination of site security policies and what you learn
here.
3. If you can’t remove the battery, consider leaving the phone in a secure place
away from the high security location.
4. Keep an alternate phone, such as a prepaid phone that is not activated
under your name.
42. For more information, contact Tekdesk:
www.tekdesk.org
info@tekdesk.org
www.twitter.com/tekdesk
Look for us on Facebook – search for Tekdesk
Peterborough