Greg Dixon

Greg Dixon is deputy editor of Canvas.

Rise of the machine

You know your smartphone is smart. But do you know how much it knows about you, your friends and your family? Or that some or all of that information could legally — or illegally — be in the hands of others? Greg Dixon examines smartphone privacy and why we seem almost wilfully ignorant of the dangers.

Privacy is going to disappear over time, says computer scientist Giovanni Russello. Photo / Greg Bowker
Privacy is going to disappear over time, says computer scientist Giovanni Russello. Photo / Greg Bowker

I have a game I want you to play. I want you to imagine yourself 20 years ago. I want you to imagine someone walking up to you in the street and giving you a small, rather beautiful device that, when you touch its glossy glass screen, instantly makes a phone call to someone you know in a city on the other side of the world. You'd be amazed, wouldn't you, in that era of the bricky clamshell phone, to stand there in the street and talk on this tiny, shiny thing to someone far, far away.

But not quite as astonished as when the stranger uses the same device to show you where you are on an interactive map or plays a video clip of a cat doing something silly, or one of the thousands of songs his strange contraption contains, or when he or she dictates a written message to a friend, or plays a game featuring a small flapping bird, or pulls up the weather forecast, or takes your picture and shows it to you before giving you the latest news ...

The distance technology has come in the space of a few decades - actually much less: the first iPhone was unveiled just seven years ago - is really quite breathtaking.

In the last 10 years we've gone from an era when computers mostly sat on desks or were semi-portable at best, to an age when the majority of us carry around a powerful computer in our pocket every waking moment.

That strange device, the smartphone, is now a fact of life: at last count 60 per cent of New Zealanders owned one. That percentage will be even higher by year's end.

But smartphones are also more than a mere fact of life. We're obsessed with them.

According to a recent Google survey, three-quarters of Kiwis won't leave home without their smartphone, 42 per cent believed they had been using theirs more intensely in the previous six months, while a third would rather give up their television than their smartphone. We're using them to communicate, but also to shop, network, entertain ourselves, record those special moments and much else besides.

We can't drag our eyes away from them. Our streets are choked with stumbling zombies staring at small screens. And our obsession with, or at least reliance on, our smartphone is only going to increase. Yahoo's chief executive, Marissa Mayer, has said this year will be a global tipping point for the internet as more people connect to it on handheld devices like smartphones and tablets than on laptop or desktops. Global mobile data volumes are expected to increase 11-fold in the next four years to a number so big I won't bore you with it, while personal mobile connections will grow globally to 10 billion (compared to seven billion now).

Around two billion of those 10 billion connections will be for machines to talk to other machines because the next big digital revolution is something called the "internet of things" or the "internet of everything". Very soon many things you use in your house and life - from your fridge to your car to your TV to your air-conditioner to your garage door to your blinds to your gym gear - will be connected to the internet. Then there are the soon-to-arrive wearable devices, like Google Glass and next-generation health and fitness monitors. Controlling most of these things will be applications on your smartphone.

Yes, the future for the amazing gadget is very exciting indeed. It's also frightening as hell.


Your smartphone knows where you live. For that matter, it knows where you are at any given moment because you have it with you at all times. It also knows who your friends are, who you talk to and text, instant message and Facebook, what you do on the internet and how often, it knows what you've bought online, it knows what you're interested in and what you're not, and what you read and watch. It knows what your family and friends look like and it knows all your appointments. It knows how much you've got in the bank.

It has your credit card details. It might even know if you're cheating on your partner or lying to your boss about being stuck in traffic.

With a smartphone, you are practically holding your life in your hands.

So you really have to wonder why so many smartphone owners are so slapdash about keeping their amazing gadgets safe.

A survey in 24 counties including New Zealand last year by Symantec, which makes Norton antivirus software, found half of mobile devices users didn't do the basics: use a password to lock the machine, run security software or back it up. Only a quarter of smartphone users had security software. Worse, in New Zealand a massive 62 per cent of mobile device users weren't even aware that antivirus software existed for smartphones and tablets.

"Mobile devices are creating a perfect storm for cybercriminals," Symantec's New Zealand boss Michelle Amery said at the survey's release. "While adoption of mobile devices is high, awareness and willingness to take precautions against threats on these devices is low."

Symantec of course has a financial stake in mobile security. But Netsafe, the not-for-profit company that's been promoting internet safety here since 1998, reports exactly the same problem: smartphone users are pretty hopeless at protecting their expensive gadget and the priceless information it holds.

"I think people identify safety with the computer," says Sean Lyons, Netsafe's chief technology officer. "And now it's their phone, well, although it can do some stuff, it's just a phone, right? What's the worst a criminal can do, run up my phone bill? I don't think people have made the leap ... they don't necessarily think they have the same concerns as they do with their PC."

But of course smartphones carry the same risks because they are computers connected to the internet too.

"All these security questions have to start again," Lyons says, "because [with smartphones] we have gone right back to the days when people were saying 'well, do you need antivirus software at all?' We've got all this learning around security, but I'm not sure that learning is being transferred to the smartphone."


Stupidity and bad luck. These for the moment are the highest risks for smartphones. The European Union's digital security agency, the ENISA, found the highest risks were losing or having your phone stolen (and then unprotected data stolen from it) or the unintentional disclosure of data by the smartphone's owner. The sort of attacks we're used to seeing on PCs - phishing, spyware and malware - are only of medium risk, according to the ENISA. So is network "spoof-ing", where, for example, attackers use rogue wi-fi to steal information for later phishing attacks. This happened recently to a local couple who put a six-figure sum on term deposit with a New Zealand bank over unsecured public wi-fi at an American airport. The money was stolen from the account months later.

Cyber attacks and scams are increasing and are costing big money. Symantec's 2013 report estimates that New Zealanders lost $152 million in cybercrime over the previous 12 months. Seventy-eight per cent of the cyber incidents reported to Netsafe last year were frauds and scams costing an estimated $4.4 million - a huge jump from $1 million ripped off in this way in 2012.

According to Symantec's Norton Report, we're not completely without paranoia around email-based scams: 59 per cent of smartphone users said they'd deleted suspicious-looking email (half also avoided storing sensitive files online).

The depressing reality is that most internet rip-offs and scams succeed because we do something stupid like, for example, supplying login details and passwords after receiving an email purporting to come from our bank. The reality, too, is that this is still generally happening through PC and laptops, Lyons says. But this will change.

"If we're reaching the cross-over point [where more people use the internet on mobile devices], then if people aren't using PCs any more, what's the point of criminals attacking PCs? They'll concentrate all efforts on attacking those mobile platforms."

And right now three-quarters of smartphone owners are completely unprepared.

Of course the numbers are still relatively small for smartphone attacks. Just a quarter of the New Zealand smartphone users experienced cybercrime in the previous 12 months, according to the Google survey. But this number will grow quickly, Lyons predicts.

Of more immediate concern is the quarter of local smartphone users who reported to Google that they had lost their mobile or had it stolen in the previous 12 months. A lost or stolen phone is a pretty easy way for crims to rip you off, according to Florent Bouron, whose Wellington company IntuiSec does IT security consulting.

"It is relatively easy to spy on someone in a bar when they type in their pin number or security pattern and then steal the device with all the data it contains and the broad range of access it gives into someone's email, text messages, bank accounts, social media and location history."

This is a blunt force attack on your smartphone and data. It is malware, however, that is the biggest risk when it comes to data theft, Bouron says.

And antivirus software can be useless against it.

"Whilst not all smartphones are equipped with antivirus software, antivirus programmes themselves are not an effective enough technology to protect a device from ever-evolving malware."

Malware, he says, is usually included in a smartphone app that you have willingly downloaded. Which suggests it's incredibly important to be mindful of the security of the apps that we install on our smartphones. Caveat emptor - let the buyer beware - holds as much for the app store as it does for anywhere else.


There's another Latin maxim, from the first century writer Publilius Syrus, that smartphone owners should keep in mind: beneficium accipere libertatem est vendere - to accept a favour is to sell one's freedom.

While the real and growing threats of phishing, spyware, malware and network "spoofing" are the criminals' way into your smartphone and its precious cargo, others are helping themselves too - and no, I'm not talking about the global data dragnet by the US and its allies revealed by CIA and NSA whistleblower Edward Snowden.

While there has rightly been fury and paranoia about this hidden, mass surveillance by governments, some of the same people raging against this outrage are happily handing over deeply personal information to big business without a second thought. For the price of a free app or the convenience smartphones offer, we'll give away some of our most personal information.

The makers of smartphone operating systems, like Google (which owns the Android operating system), Microsoft and Apple have designed the software to collect information on the user.

"They will reuse this data for advertisements or other reasons," says Dr Giovanni Russello, a computer scientist and lecturer at the University of Auckland. "[The profit] isn't in the device, but they are making money selling the data about the users."

It doesn't stop at the operating system. Most third-party apps want access to your contacts, location and storage. With Apple's iOS operating system it is possible to control access to contacts, location and so on. However, on phones running Android, the user often has a Hobson's choice: you either agree to the app accessing things like your location, contacts and storage, or don't download the app. You cannot disable one permission at a time. There is also the potential, depending on the apps you have installed and the permissions you have given them, for data to bleed from one app to another without you knowing about it or wanting it.

The really scary thing is that you have no idea where this data - whether it's being collected by Google, Apple, Microsoft or third-party app makers - is going or who it's been sold too.

This is the devil in the detail of those agreements so few of us read when we buy a smartphone or download an app. We ignore the fact smartphones are the perfect spying device: they're filled with embedded sensors, including microphones, GPS connections, sim cards and other information-gatherers - and these sensors are with you all the time.

The view of New Zealand's Privacy Commission on this is pretty much caveat emptor.

Commission spokesman Charles Mabbett says it is up to the user to read and familiarise themselves with the terms and conditions of the smartphone apps they intend to install.

"It does come down to a case of consumer choice - if you are comfortable with the terms and conditions, then by all means download it. But the reality is that most people don't look at the fine print."

Does that mean we aren't bothered that, as IntuiSec's Bouron says, the basic ownership of a smartphone exposes our very private information to private enterprise? Maybe. But what it probably says is that convenience trumps privacy. Besides, we don't know what to do about it.

"The problem is that smartphones have inserted themselves into our life in a very pervasive way and in a very short period of time," Bouron says. "And since privacy is a problem that most people haven't had to address before the age of smartphones ... we are all still struggling to understand how to deal with the problem."


The smartphone is the biggest technological Trojan horse there is, Russello believes. And the potential threat to our privacy is only going to get bigger with the arrival of the internet of things.

"With the internet of things, every device you have around you, your home, your car will start getting a sim card, and once you have a sim you get an IP address and once you have an IP address then you are connected to the rest of the world. This is the internet of things. The smartphone will be a way to be connected across your home, your car, your office, your gym. The phone will be like a bridge cross all these environments, bringing together data and information about you ... [and] smartphones are always online, so [companies like Google, Apple and third-party app makers] will always be mining data about you and you don't know where that data is going."

There is an obvious solution, of course: don't buy a smartphone. But Russello thinks consumers won't have that option much longer. "There is still a choice now about if you want to buy a dumb phone or a smartphone. But in three or four years' time you won't have a choice, it will be only smartphones."

Ironically, the last line of defence could be getting technology to fight technology.

Russello has recently started a company, Active Mobile Security, to create smartphone software that separates and protects a smartphone's data from its apps in a sort of data lockbox. Initially this software will be for businesses, but the plan is to develop it for personal use too.

That's the short-term solution. However, Russello believes in the long term there is going to be a shift in how we perceive privacy anyway. Certainly the younger generation seem to be ignorant or unworried that the internet is a public domain and once something has been uploaded to it, there's no going back.

"I think privacy is something that is going to disappear over time," Russello says. "I think it is a concept that will fade away. Unfortunately I think that is what is going to happen."
If that does happen - gulp! - then it is, as Netsafe's Lyons says, extremely important right now for us to start managing our online selves with greater competence.

"It is one of the skills, I suppose, of what is called digital citizenship. If we're going to exist in this space then we have to start thinking about what our rights are but what our responsibilities are too. Some of your responsibility as a digital citizen is maintaining your privacy - which means not saying it's someone else's fault when you've published stuff on the internet and it comes back and bites you on the arse."


Stay safe, stay smart

• Smartphone users have to accept that they expose their personal activities to companies like Google, Apple, Microsoft and Samsung every day and there is nothing they can do but trust these internet behemoths with their private data. However, there are six basic precautions every smartphone owner should take:

• Pin lock The most simple first defence is a complex pin number (i.e. not 1-1-1-1). Android security pattern users should choose a complicated one and disable the display of the security pattern. We should also treat our smartphone pins like our Eftpos pins: keep it secret. keep it safe.

• Antivirus app If it's good enough for your PC, it's good enough for your smartphone. Free antivirus software works just as well or better than the ones you buy. Make sure it's up-to-date too.

• Locate and lock software There are a variety of apps that help you find, lock and wipe your smartphone if you lose it or it's stolen, such Find iPhone. Netsafe has information on Android versions at netsafe.org.nz/how-to-keep-your-mobile-devices-safe-and-secure.

• Back it up If you lose your phone, you don't need to lose your contacts, photos, cat videos, calendars and documents too. Back it up to a computer or Cloud storage.

• Approved apps Apps from bad sources may contain malware. Install apps only from Google, Microsoft or Apple's app stores. For Android users: always look at the permissions the app requires and ask yourself whether what the app offers is worth it accessing your contacts, storage and/or location.

• Be careful what you store Only store information and files you can afford to lose - if something is very private or sensitive, for goodness' sake don't store it on your phone.

- NZ Herald

© Copyright 2014, APN New Zealand Limited

Assembled by: (static) on production apcf01 at 27 Nov 2014 07:35:16 Processing Time: 538ms