News You Can Use

Quote of the Day

Privacy experts say disabling or deleting your device’s MAID will have no effect on how your phone operates, except that you may begin to see far less targeted ads on that device.

Any Android apps with permission to use your location should appear when you navigate to the Settings app, Location, and then App Permissions. “Allowed all the time” is the most permissive setting, followed by “Allowed only while in use,” “Ask every time,” and “Not allowed.”

Android users can delete their ad ID permanently, by opening the Settings app and navigating to Privacy > Ads. Tap “Delete advertising ID,” then tap it again on the next page to confirm. According to the EFF, this will prevent any app on your phone from accessing the ad ID in the future. Google’s documentation on this is here.

By default, Apple’s iOS requires apps to ask permission before they can access your device’s IDFA. When you install a new app, it may ask for permission to track you. When prompted to do so by an app, select the “Ask App Not to Track” option. Apple users also can set the “Allow apps to request to track” switch to the “off” position, which will block apps from asking to track you.

Apple also has its own targeted advertising system which is separate from third-party tracking enabled by the IDFA. To disable it, go to Settings, Privacy, and Apple Advertising, and ensure that the “Personalized Ads” setting is set to “off.”

Finally, if you’re the type of reader who’s the default IT support person for a small group of family or friends (bless your heart), it would be a good idea to set their devices not to track them, and to disable any apps that may have location data sharing turned on 24/7.

There is a dual benefit to this altruism, which is clearly in the device owner’s best interests. Because while your device may not be directly trackable via advertising data, making sure they’re opted out of said tracking also can reduce the likelihood that you are trackable simply by being physically close to those who are.

Brian Krebs
October 23, 2024
The Global Surveillance Free-for-All in Mobile Ad Data – Krebs on Security

Getting recent location information on a person given just a few bits of data was not the original intent. But it isn’t that hard to do with the Mobile Advertising ID:

The Mobile Advertising ID or MAID — the unique alphanumeric identifier assigned to each mobile device — was originally envisioned as a way to distinguish individual mobile customers without relying on personally identifiable information such as phone numbers or email addresses.

However, there is now a robust industry of marketing and advertising companies that specialize in assembling enormous lists of MAIDs that are “enriched” with historical and personal information about the individual behind each MAID.

I protested a similar loophole when I was working on the location services for Windows Phone 7 at Microsoft. People didn’t see the problem with a phone being assigned unique random number for each phone and tracking it. I had to explain it to them:

Supposed I know where my Ex works (or picks up her mail) and where our kids go to school. I search the tracking data for the sets of IDs which visit both locations. Even if there are a dozen of them, I can find out where each of those phones spend their night. I can then easily visit each of those locations to find which one is my Ex.

If I only have one location for my Ex I still find the home of my Ex. I isolate a sibling/parent/close friend of hers. I use that ID to see if it meets with one of the IDs from my Ex’s work/school.

They seemed understand the problem, but the corporate utility of having the tracking ID seemed to outweigh user risk. I don’t remember what ultimately happened with that.

I know there was similar location tracking risk to users that I called out and they went ahead with. About a month before it was released there was a bit of a scandal with Google’s Android phones. Google was doing almost exactly the same thing as what MS was about to release. The same manager who insisted I make the enabling code change changed his mind. It was with great pleasure that I backed out my code changes.

Smart phones are awesome tools. Smart phone users have a huge advantage over others who don’t have one or don’t use their full potential. But as you can imagine, and as surviving Hezbollah members can attest, in certain situations even a pager is risky.

Share

16 thoughts on “News You Can Use

  1. I have a nearly OCD desire to deny information to entities online, I give up a lot of convenience due to this. My biggest concern is correlation. If I use a VPN connection (assuming they truely don’t log) at a given time to access a service that knows my Identity because I authenticate, that means that my curent VPN IP address is known and logged by the service in that time window. The more services I use the stronger the correlation available to any one scooping up metadata. I’d like to find a way to automatically establish a separate VPN connection for every service session. I’d also like a way to authenticate with a trusted third party and just use a token to access a given service such that the service provider doesn’t know who is accessing the service and the authentication service doesn’t know what service I’m using; they just both know I’m authenticated. My cryprography knowledge is cursory, but it seems possible, though KYC may get in the way as well as practicality for some services.

  2. I thought you were talking about the Canadian acronym which would be really disturbing.

  3. Beyond the privacy issue, there is a fake app that makes you think you are talking to the bank when in fact it is a fraudster seeking to extract passwords etc. I think I encountered this when I thought I was talking to Vanguard though it could be another sort of hijacking of their phone number. Whenever possible I avoid apps or doing any financial business on the phone.

  4. If you’re serious about privacy and security do not use a mobile phone or only use dumb burner phones and switch them very frequently. Don’t use credit cards or shop online. Carry cash and shop in a brick and mortar business. If you need the convenience of instant or nearly instant communication over a distance get a HAM license and then be aware that someone is probably listening to your conversation, just like when you’re using a mobile phone. But is less likely to be NSA, FBI, GCHQ, Homeland Security or some other organ of organized crime

    • Very difficult to avoid on-line especially if you are in a small town. COVID lockdowns killed a lot of brick and mortar places and inventory is expensive. As for credit cards, I don’t care if the government knows I buy groceries or shoes. Gas may be an issue in the future but not yet. I save cash for sensitive transactions but even there it is often impossible to avoid on-line/credit card.

  5. “Smart phone users have a huge advantage over others who don’t have one or don’t use their full potential.”

    I’ve been working with computers intimately since the very early 80’s (before IBM entered the personal computer business) I believe I fully understand their potential.

    In my experience, I have found nothing that can be done with a cell phone that cannot be done with greater control and efficacy by a traditional personal computer. My last cell phone booted a linux kernel that I had compiled from source, and ran android without the “google apps”. I had source for everything on it.

    There was nothing I could do with it that I couldn’t do better with my laptop, besides putting it in my pocket. Maintaining that platform was so time consuming that I gave it up a few years ago, and no longer use a cell phone.

    I am quite certain I have advantages over every cell phone user I am aware of, simply by understanding the hardware and code within computers, and their limitations.

    With only one or two sandboxed exceptions, I have compiled all software on my laptop from source, and resorted to writing some of it myself to ensure full control of the boot and “init” processes.

    Cell phones suck(tm). Even if you take extreme action to get control of the OS, you will never control the baseband firmware, and the baseband processor shares memory access with the application processor, so they have no secrets from each other. Even if you encrypt the root, the decryption key is visible to the baseband processor. (something similar is true of laptops “managment engines” but to a lesser degree, and firewalling them is trivial)

    • The mobile communication is a huge time saver. Navigating while driving it can route you around stop and go traffic. Getting a call asking you to pick up another item or two at the grocery store. You see something on the shelf on Home Depot and you can check the price on Amazon and the other hardware store across town. You are at Walmart, and you check the web for the number of quarts of oil your car holds. The text messages from your kids telling you they have to stay after school for a special event and you can you pick them on your way home from work? You get movement alerts from the webcams around your house while you are at work or driving. You receive phone call while you are away from home. You are at the range and transfer $30 into your kids checking account so they can go out to dinner and a movie with some friends. Your car broke down while driving on an isolated road and you need help. Videos and pictures of everything. I’m hiking on the side of a mountain; will the weather hold long enough to take the long way down? What is the drop and windage for my custom rifle load at 500 yards at my present altitude and weather conditions?

      My life would be completely different and quite diminished without a smart phone.

      • I get that. All fair and true… however none of it applies to me:

        I don’t (won’t) live where stop and go traffic is an issue. I get my calls to pick up more stuff, or other unexpected changes via radios I own and control. If need be I can cosult the net via a laptop in the car, but in practice I never do. My security systems are not accessible by infrastructure I don’t control. (allowing a third party to monitor my cameras is a non-starter here) If the information I need from them is greater than what the radios can do, I use the laptop through ssh/mosh channels on my own servers.

        Pretty much anything outside what radios and lappy can do, seems exceedingly trivial to me, or due to insufficient planning on my part, which should not be coddled.

        My life is substancially different since I gave up the phone too, but I have no regrets. 😀

      • There are stand alone GPS units and cameras. There are also things known as grocery lists. Home security should be web independent so you are not vulnerable to web down or hacking. Driving all over town to get the lowest price is usually a loser. Financial transactions over a phone are dangerous. Tell your kids that their failure to plan is not your problem. They will be pissed but better off in the long run.

        I wish I had Fido’s technical skill but you probably do. Question of priorities, eh.

        Texts and phone calls are usually harmless and convenient but somehow we lived without them for 100,000 years.

  6. IT’s a powerful tool… that has become an essential crutch for far too many young people. They are all but non-functional without it. They are dependent, and do not understand the risks, privacy or otherwise, of it being their constant companion. The total surveillance it enables is terrifying.

    Increasingly, I’m thinking a good interview question for a new hire would be “what would you do if your phone was lost or destroyed, and you couldn’t get a replacement for two weeks? How well could you do life and your job [assuming it didn’t explicitly require a smartphone to do]?”

  7. I find it amusing that people actually believe that turning off these settings actually blocks the people who control the phone’s Operating System from using it for anything they want. It doesn’t. It just makes you BELIEVE you aren’t being tracked and your info not being sold. There is simply TOO MUCH MONEY plus power and control to allow you to actually opt out. Don’t want to be tracked? Keep your cell phone in an RF proof container/bag unless you need to use it.

    • You can buy those at Amazon. :>). You probably get on a list for having one but I am on so many lists, it probably doesn’t matter.

      • Only NPCs are not on a bunch of government watch-lists. TPTB can safely ignore because you are of no political significance, either real or potential.

  8. Targeted ads are an annoyance. But like Jehovah witnesses. Can pretty much just be dismissed out of hand.
    And I can attest that mobile phones absolutely revolutionized construction.
    That all being said, the real problem with all this tracking and crap is those that control it.
    If we just limited and strictly enforced the criminal usage of it? Data that is.
    How cares what they know? I’m a Christian. I know even the hairs of my head are numbered. (Much less these days.)
    Point being I know someone knows everything I’m doing 24/7/365 anyway. And I could care less if government knows too. (AI must be bored stiff by now, and it can’t un-see the senior porn!)
    It’s what they do with it that matters.
    On the other hand it becomes a very good way make government think your someplace you ain’t.
    They know everything about you and where you’re at in any given moment. Till you walk away from it.
    But once again, it ain’t the tech that is the problem. It’s the humans and what they want the info for.
    And there ain’t that many of “them”.
    If you want to know? Get a warrant. Is not that hard to enforce.

  9. This is why I use GrapheneOS on my Pixel phone. No Google services or apps installed by default. And super easy to install via a web app.

    https://grapheneos.org/

    “The private and secure mobile operating system with Android app compatibility. Developed as a non-profit open source project.”

Comments are closed.