4
0

Further proof apps are evil.


 invite response                
2022 Nov 8, 9:28am   508 views  6 comments

by RWSGFY   ➕follow (4)   💰tip   ignore  

Comments 1 - 6 of 6        Search these comments

1   Patrick   2022 Nov 8, 9:44am  

It's worth quoting in case it disappears:


With Twitter's change in ownership last week, I'm probably in the clear to talk about the most unethical thing I was asked to build while working at Twitter.

To set the stage, this was the 2015-2016 era. @dickc was just ousted, though he was wonderful and made us feel like family.
@jack came in as part-time CEO. Twitter had been near death for a while and was desperately trying to find a buyer. Facebook and Google both refused.

Most people don't really appreciate how close Twitter was to shutting down. The 2016 election was the only thing that saved them and made them relevant again (to the detriment of us all). But I digress...
I worked as a software engineer on a team with a charter to make Twitter work better for people in emerging markets (Brazil, India, Nigeria, etc...). This meant a lot of mobile work. And was mostly non-visual stuff - reducing bandwidth, memory usage, battery consumption.
Oh and app size... we fought tooth and nail to keep the app under 10MB. FB had the money to zero-rate for people in India to d/l a 100MB app, but we did not. We finally lost the 10MB battle when Twitter Video launched (iirc). After that, all discipline around app size was lost.
One of the first areas I worked on was improving the way our mobile apps uploaded logs. Twitter, like most mobile apps, logs everything users do – every swipe, tap, edit, delay, etc… – for debugging, metrics, and experiments.

The size of logs adds up quickly.
In the app, HTTP responses were compressed, but requests weren't. Logs are highly compressible, so I wired up support to gzip HTTP requests, and tweaked our log ingestion server to handle these.

(That reduced mobile bandwidth consumption by ~40% iirc. It was absurd.)
So I became known as the mobile logs guy. And that sets the stage for why I was pulled into a Sales conversation. Twitter was on its death bed and was desperate for money. A large telco wanted to pay us to log signal strength data in N. America and send it to them.
My plan was to aggregate signal strength by carrier / by location. I worked with Data Science to find a granularity – minimum area size and minimum distinct users per area – that would preserve anonymity even when combined with other sources of data (differential privacy).
When we sent this data to the telco they said the data was useless. They switched their request and said they want to be able to tell how many of our users are entering their competitors’ stores.

A bit sketchier, but maybe workable in a privacy respecting way?
We ran an alternative by the telco. They didn’t like it and were frustrated. So was Sales. I was asked to go to telco’s HQ and figure out exactly what they want.

The subsequent request was absurd.
I wound up meeting with a Director who came in huffing and puffing.

The Director said “We should know when users leave their house, their commute to work, and everywhere they go throughout the day. Anything less is useless. We get a lot more than that from other tech companies.”
I responded with some variant of “No fucking way”.

There was no universe where I was going to help sell granular identifiable user location data.

This led to more internal meetings. Legal said the request was fine – none of it violated the user ToS.
Normally they might find another engineer to do this work, but my whole team was aligned with the privacy concerns. Twitter had also just done layoffs (aside: time is a flat circle), so there were no spare engineers around.
2   Patrick   2022 Nov 8, 9:45am  

I can't think of any legitimate reason to install any app except a web browser, and after that to just use the web browser for everything.

Every company making an app could instead put that effort into making a better web page, but they don't because they want to collect and sell your data.
3   zzyzzx   2022 Nov 8, 9:47am  

Not use apps AND turn off location.
4   Patrick   2022 Nov 8, 10:14pm  

Even better to get a phone with a hard switch which turns off location, like the Librum. Expensive though.
5   RWSGFY   2022 Nov 14, 9:07am  

By James Pearson and Marisa Taylor

LONDON/WASHINGTON (Reuters) - Thousands of smartphone applications in Apple and Google's online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.

The Centers for Disease Control and Prevention (CDC), the United States' main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the U.S. capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns.

The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns. That app was used by soldiers at one of the country's main combat training bases.

According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.

On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.

Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.

...

HUGE DATABASE

Pushwoosh code was installed in the apps of a wide array of international companies, influential non-profits and government agencies from global consumer goods company Unilever Plc and the Union of European Football Associations (UEFA) to the politically powerful U.S. gun lobby, the National Rifle Association (NRA), and Britain's Labour Party.

Pushwoosh's business with U.S. government agencies and private companies could violate contracting and U.S. Federal Trade Commission (FTC) laws or trigger sanctions, 10 legal experts told Reuters. The FBI, U.S. Treasury and the FTC declined to comment.

Jessica Rich, former director of the FTC's Bureau of Consumer Protection, said "this type of case falls right within the authority of the FTC," which cracks down on unfair or deceptive practices affecting U.S. consumers.

....

Pushwoosh code has been embedded into almost 8,000 apps in the Google and Apple app stores, according to Appfigures, an app intelligence website. Pushwoosh's website says it has more than 2.3 billion devices listed in its database.

"Pushwoosh collects user data including precise geolocation, on sensitive and governmental apps, which could allow for invasive tracking at scale," said Jerome Dangu, co-founder of Confiant, a firm that tracks misuse of data collected in online advertising supply chains.

...

Keir Giles, a Russia expert at London think tank Chatham House, said despite international sanctions on Russia, a "substantial number" of Russian companies were still trading abroad and collecting people's personal data.

...

'SECURITY ISSUES'

After Reuters raised Pushwoosh's Russian links with the CDC, the health agency removed the code from its apps because "the company presents a potential security concern," spokesperson Kristen Nordlund said.

"CDC believed Pushwoosh was a company based in the Washington, D.C. area," Nordlund said in a statement. The belief was based on "representations" made by the company, she said, without elaborating.

The CDC apps that contained Pushwoosh code included the agency's main app and others set up to share information on a wide range of health concerns. One was for doctors treating sexually transmitted diseases. While the CDC also used the company's notifications for health matters such as COVID, the agency said it "did not share user data with Pushwoosh."

The Army told Reuters it removed an app containing Pushwoosh in March, citing "security issues." It did not say how widely the app, which was an information portal for use at its National Training Center (NTC) in California, had been used by troops.

The NTC is a major battle training center in the Mojave Desert for pre-deployment soldiers, meaning a data breach there could reveal upcoming overseas troop movements.

U.S. Army spokesperson Bryce Dubee said the Army had suffered no "operational loss of data," adding that the app did not connect to the Army network.

Some large companies and organizations including UEFA and Unilever said third parties set up the apps for them, or they thought they were hiring a U.S. company.

"We don't have a direct relationship with Pushwoosh," Unilever said in a statement, adding that Pushwoosh was removed from one of its apps "some time ago."

UEFA said its contract with Pushwoosh was "with a U.S. company." UEFA declined to say if it knew of Pushwoosh's Russian ties but said it was reviewing its relationship with the company after being contacted by Reuters.

The NRA said its contract with the company ended last year, and it was "not aware of any issues."

Britain's Labour Party did not respond to requests for comment.

"The data Pushwoosh collects is similar to data that could be collected by Facebook, Google or Amazon, but the difference is that all the Pushwoosh data in the U.S. is sent to servers controlled by a company (Pushwoosh) in Russia," said Zach Edwards, a security researcher, who first spotted the prevalence of Pushwoosh code while working for Internet Safety Labs, a nonprofit organization.

...

FAKE ADDRESS, FAKE PROFILES

In U.S. regulatory filings and on social media, Pushwoosh never mentions its Russian links. The company lists "Washington, D.C." as its location on Twitter and claims its office address as a house in the suburb of Kensington, Maryland, according to its latest U.S. corporation filings submitted to Delaware's secretary of state. It also lists the Maryland address on its Facebook and LinkedIn profiles.

The Kensington house is the home of a Russian friend of Konev's who spoke to a Reuters journalist on condition of anonymity. He said he had nothing to do with Pushwoosh and had only agreed to allow Konev to use his address to receive mail.

Konev said Pushwoosh had begun using the Maryland address to "receive business correspondence" during the coronavirus pandemic.

He said he now operates Pushwoosh from Thailand but provided no evidence that it is registered there. Reuters could not find a company by that name in the Thai company registry.

Pushwoosh never mentioned it was Russian-based in eight annual filings in the U.S. state of Delaware, where it is registered, an omission which could violate state law.

Instead, Pushwoosh listed an address in Union City, California as its principal place of business from 2014 to 2016. That address does not exist, according to Union City officials.

Pushwoosh used LinkedIn accounts purportedly belonging to two Washington, D.C.-based executives named Mary Brown and Noah O'Shea to solicit sales. But neither Brown nor O'Shea are real people, Reuters found.

The one belonging to Brown was actually of an Austria-based dance teacher, taken by a photographer in Moscow, who told Reuters she had no idea how it ended up on the site.

Konev acknowledged the accounts were not genuine. He said Pushwoosh hired a marketing agency in 2018 to create them in an attempt to use social media to sell Pushwoosh, not to mask the company's Russian origins.

LinkedIn said it had removed the accounts after being alerted by Reuters.

(Reporting by James Pearson in London and Marisa Taylor in Washington; Additional reporting by Chris Bing in Washington, editing by Chris Sanders and Ross Colvin)
6   FortwayeAsFuckJoeBiden   2022 Nov 14, 7:34pm  

your phone is a tracking device no matter what.

cameras on the road you don’t even notice read your plates and often your face and know where you been.

your bank knows where you buy.

privacy is dead big time.

Please register to comment:

api   best comments   contact   latest images   memes   one year ago   random   suggestions