Proprietary Surveillance
Other examples of proprietary malware
Table of Contents
Introduction
For decades, the Free Software movement has been denouncing the abusive surveillance machine of proprietary software companies such as Microsoft and Apple. In the recent years, this tendency to watch people has spread across industries, not only in the software business, but also in the hardware. Moreover, it also spread dramatically away from the keyboard, in the mobile computing industry, in the office, at home, in transportation systems, and in the classroom.
This document attempts to track clearly established cases of proprietary software that spies on or track users.
Latest additions
Latest additions are found on top under each category.
Spyware in Operating Systems
(#OSSpyware)Spyware in Windows
(#SpywareInWindows)A downgrade to Windows 10 deleted surveillance-detection applications. Then another downgrade inserted a general spying program. Users noticed this and complained, so Microsoft renamed it to give users the impression it was gone.
To use proprietary software is to invite such treatment.
Windows 10 ships with default settings that show no regard for the privacy of its users, giving Microsoft the “right” to snoop on the users' files, text input, voice input, location info, contacts, calendar records and web browsing history, as well as automatically connecting the machines to open hotspots and showing targeted ads.
Windows 10 sends identifiable information to Microsoft, even if a user turns off its Bing search and Cortana features, and activates the privacy-protection settings.
Microsoft uses Windows 10's “privacy policy” to overtly impose a “right” to look at users' files at any time. Windows 10 full disk encryption gives Microsoft a key.
Thus, Windows is overt malware in regard to surveillance, as in other issues.
We can suppose Microsoft look at users' files for the US government on demand, though the “privacy policy” does not explicit say so. Will it look at users' files for the Chinese government on demand?
The unique “advertising ID” for each user enables other companies to track the browsing of each specific user.
It's as if Microsoft has deliberately chosen to make Windows 10 maximally evil on every dimension; to make a grab for total power over anyone that doesn't drop Windows now.
It only gets worse with time. Windows 10 requires users to give permission for total snooping, including their files, their commands, their text input, and their voice input.
And there's a secret NSA key in Windows, whose functions we don't know.
Microsoft's snooping on users did not start with Windows 10. There's a lot more Microsoft malware.
Spyware in MacOS
(#SpywareInMacOS)MacOS automatically sends to Apple servers unsaved documents being edited. The things you have not decided to save are even more sensitive than the things you have stored in files.
Apple has made various MacOS programs send files to Apple servers without asking permission. This exposes the files to Big Brother and perhaps to other snoops.
It also demonstrates how you can't trust proprietary software, because even if today's version doesn't have a malicious functionality, tomorrow's version might add it. The developer won't remove the malfeature unless many users push back hard, and the users can't remove it themselves.
Various operations in the latest MacOS send reports to Apple servers.
Apple admits the spying in a search facility, but there's a lot more snooping that Apple has not talked about.
Spotlight search sends users' search terms to Apple.
There's a lot more iThing spyware, and Apple malware.
Spyware in Android
(#SpywareInAndroid)“Cryptic communication,” unrelated to the app's functionality, was found in the 500 most popular gratis Android apps.
The article should not have described these apps as “free”—they are not free software. The clear way to say “zero price” is “gratis.”
The article takes for granted that the usual analytics tools are legitimate, but is that valid? Software developers have no right to analyze what users are doing or how. “Analytics” tools that snoop are just as wrong as any other snooping.
Gratis Android apps (but not free software) connect to 100 tracking and advertising URLs, on the average.
Spyware is present in some Android devices when they are sold. Some Motorola phones modify Android to send personal data to Motorola.
Some manufacturers add a hidden general surveillance package such as Carrier IQ.
Samsung's back door provides access to any file on the system.
Spyware on Mobiles
(#SpywareOnMobiles)Spyware in iThings
(#SpywareIniThings)iThings automatically upload to Apple's servers all the photos and videos they make.
iCloud Photo Library stores every photo and video you take, and keeps them up to date on all your devices. Any edits you make are automatically updated everywhere. [...]
(From Apple's iCloud information as accessed on 24 Sep 2015.) The iCloud feature is activated by the startup of iOS. The term “cloud” means “please don't ask where.”
There is a way to deactivate iCloud, but it's active by default so it still counts as a surveillance functionality.
Unknown people apparently took advantage of this to get nude photos of many celebrities. They needed to break Apple's security to get at them, but NSA can access any of them through PRISM.
Spyware in iThings: the iBeacon lets stores determine exactly where the iThing is, and get other info too.
There is also a feature for web sites to track users, which is enabled by default. (That article talks about iOS 6, but it is still true in iOS 7.)
The iThing also tells Apple its geolocation by default, though that can be turned off.
Apple can, and regularly does, remotely extract some data from iPhones for the state.
Either Apple helps the NSA snoop on all the data in an iThing, or it is totally incompetent.
Several “features” of iOS seem to exist for no possible purpose other than surveillance. Here is the Technical presentation.
Spyware in Telephones
(#SpywareInTelephones)According to Edward Snowden, agencies can take over smartphones by sending hidden text messages which enable them to turn the phones on and off, listen to the microphone, retrieve geo-location data from the GPS, take photographs, read text messages, read call, location and web browsing history, and read the contact list. This malware is designed to disguise itself from investigation.
Samsung phones come with apps that users can't delete, and they send so much data that their transmission is a substantial expense for users. Said transmission, not wanted or requested by the user, clearly must constitute spying of some kind.
A Motorola phone listens for voice all the time.
Spyware in Android phones (and Windows? laptops): The Wall Street Journal (in an article blocked from us by a paywall) reports that the FBI can remotely activate the GPS and microphone in Android phones and laptops. (I suspect this means Windows laptops.) Here is more info.
Portable phones with GPS will send their GPS location on remote command and users cannot stop them: http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers. (The US says it will eventually require all new portable phones to have GPS.)
The nonfree Snapchat app's principal purpose is to restrict the use of data on the user's computer, but it does surveillance too: it tries to get the user's list of other people's phone numbers.
Spyware in Mobile Applications
(#SpywareInMobileApps)Facebook's new Magic Photo app scans your mobile phone's photo collections for known faces, and suggests you to share the picture you take according to who is in the frame.
This spyware feature seems to require online access to some known-faces database, which means the pictures are likely to be sent across the wire to Facebook's servers and face-recognition algorithms.
If so, none of Facebook users' pictures are private anymore, even if the user didn't “upload” them to the service.
Like most “music screaming” disservices, Spotify is based on proprietary malware (DRM and snooping). In August 2015 it demanded users submit to increased snooping, and some are starting to realize that it is nasty.
This article shows the twisted ways that they present snooping as a way to “serve” users better—never mind whether they want that. This is a typical example of the attitude of the proprietary software industry towards those they have subjugated.
Out, out, damned Spotify!
Many proprietary apps for mobile devices report which other apps the user has installed. Twitter is doing this in a way that at least is visible and optional. Not as bad as what the others do.
FTC says most mobile apps for children don't respect privacy: http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/.
Widely used proprietary QR-code scanner apps snoop on the user. This is in addition to the snooping done by the phone company, and perhaps by the OS in the phone.
Don't be distracted by the question of whether the app developers get users to say “I agree”. That is no excuse for malware.
The Brightest Flashlight app sends user data, including geolocation, for use by companies.
The FTC criticized this app because it asked the user to approve sending personal data to the app developer but did not ask about sending it to other companies. This shows the weakness of the reject-it-if-you-dislike-snooping “solution” to surveillance: why should a flashlight app send any information to anyone? A free software flashlight app would not.
Spyware in Games
(#SpywareInGames)Angry Birds spies for companies, and the NSA takes advantage to spy through it too. Here's information on more spyware apps.
Spyware in Toys
(#SpywareInToys)Spyware at Low Level
(#SpywareAtLowLevel)Spyware in BIOS
(#SpywareInBIOS)Lenovo stealthily installed crapware and spyware via BIOS on Windows installs. Note that the specific sabotage method Lenovo used did not affect GNU/Linux; also, a “clean” Windows install is not really clean since Microsoft puts in its own malware.
Spyware at Work
(#SpywareAtWork)Spyware in Cisco TNP IP phones: http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html
Spyware in Skype
(#SpywareInSkype)Spyware in Skype: http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/. Microsoft changed Skype specifically for spying.
Spyware on The Road
(#SpywareOnTheRoad)Spyware in Cameras
(#SpywareInCameras)-
The Nest Cam “smart” camera is always watching, even when the “owner” switches it “off.”
A “smart” device means the manufacturer is using it to outsmart you.
Spyware in e-Readers
(#SpywareInElectronicReaders)Spyware in many e-readers—not only the Kindle: they report even which page the user reads at what time.
Adobe made “Digital Editions,” the e-reader used by most US libraries, send lots of data to Adobe. Adobe's “excuse”: it's needed to check DRM!
Spyware in Vehicles
(#SpywareInVehicles)Proprietary software in cars records information about drivers' movements, which is made available to car manufacturers, insurance companies, and others.
The case of toll-collection systems, mentioned in this article, is not really a matter of proprietary surveillance. These systems are an intolerable invasion of privacy, and should be replaced with anonymous payment systems, but the invasion isn't done by malware. The other cases mentioned are done by proprietary malware in the car.
Tesla cars allow the company to extract data remotely and determine the car's location at any time. (See Section 2, paragraphs b and c.). The company says it doesn't store this information, but if the state orders it to get the data and hand it over, the state can store it.
Spyware at Home
(#SpywareAtHome)Spyware in TV Sets
(#SpywareInTVSets)Emo Phillips made a joke: The other day a woman came up to me and said, “Didn't I see you on television?” I said, “I don't know. You can't see out the other way.” Evidently that was before Amazon “smart” TVs.
Tivo's alliance with Viacom adds 2.3 million households to the 600 millions social media profiles the company already monitors. Tivo customers are unaware they're being watched by advertisers. By combining TV viewing information with online social media participation, Tivo can now correlate TV advertisement with online purchases, exposing all users to new combined surveillance by default.
Some web and TV advertisements play inaudible sounds to be picked up by proprietary malware running on other devices in range so as to determine that they are nearby. Once your Internet devices are paired with your TV, advertisers can correlate ads with Web activity, and other cross-device tracking.
Vizio “smart” TVs recognize and track what people are watching, even if it isn't a TV channel.
The Amazon “Smart” TV is watching and listening all the time.
The Samsung “Smart” TV transmits users' voice on the internet to another company, Nuance. Nuance can save it and would then have to give it to the US or some other government.
Speech recognition is not to be trusted unless it is done by free software in your own computer.
Spyware in LG “smart” TVs reports what the user watches, and the switch to turn this off has no effect. (The fact that the transmission reports a 404 error really means nothing; the server could save that data anyway.)
Even worse, it snoops on other devices on the user's local network.
LG later said it had installed a patch to stop this, but any product could spy this way.
Meanwhile, LG TVs do lots of spying anyway.
-
Verizon cable TV snoops on what programs people watch, and even what they wanted to record.
Spyware on the Web
(#SpywareOnTheWeb)In addition, many web sites spy on their visitors. Web sites are not programs, so it makes no sense to call them “free” or “proprietary”, but the surveillance is an abuse all the same.
Pages that contain “Like” buttons enable Facebook to track visitors to those pages—even users that don't have Facebook accounts.
Many web sites rat their visitors to advertising networks that track users. Of the top 1000 web sites, 93% fed their visitors third-party cookies, allowing other sites to track them.
Many web sites report all their visitors to Google by using the Google Analytics service, which tells Google the IP address and the page that was visited.
Many web sites try to collect users' address books (the user's list of other people's phone numbers or email addresses). This violates the privacy of those other people.
Microsoft SkyDrive allows the NSA to directly examine users' data.
Spyware in Chrome
(#SpywareInChrome)Google Chrome makes it easy for an extension to do total snooping on the user's browsing, and many of them do so.
Spyware in Flash
(#SpywareInFlash)Flash Player's cookie feature helps web sites track visitors.
Flash is also used for “fingerprinting” devices to identify users.
Javascript code is another method of “fingerprinting” devices.