Nick Selby

Fintech Chief Security Officer. Former NYPD apparatchik. Co-author Cyber Attack Survival Manual; In Context: Understanding Police Killings o

Apr 7, 2018
Published on: Medium
1 min read

As I watch the world having conniption fits over Facebook “privacy,” and discussions on the Twitters get increasingly breathless, I wonder how it is possible that people haven’t understood the value proposition provided by Facebook.

Like my friends in advertising, who refer to newspapers as “People who print come-on content on the back of ads,” security and privacy professionals view Facebook as a straight-up trade. Facebook offers something delightfully simple: they provide you with connections to friends and things you like in exchange for every datum about you. This exchange is fair — you get to flirt with your high school sweetheart, they get to sell highly profiled targets to advertisers.

I mean — just how did you think Facebook knew that you wanted to be friends with Jesse, through Sheryl Sandberg’s love?

Gas, Grass, or Ass: No One Rides Free Are you clueless about how services on the Internet are paid for?

In the book, Cyber Survival Manual: From Identity Theft to The Digital Apocalypse and Everything in Between, Heather Vescent and I discuss mobile application settings and how they can be unfair to users by consuming more data than they actually need to provide the service the app provides.

Usually, this is done on apps that are free — the point is, if you don’t pay for the app, you pay for it with your data. Some consider this a good trade. Somtimes, I do, too — I’m thinking of Transit, or Citizen.

It gets trickier when you’re paying for the app, and the app takes your mopney and your data.

Like practitioners of another profession, these companies act as if they feel you are paying them to screw you.

Here’s an example I wrote about last year: Weight Watchers is perhaps the most trusted name in weight loss programs.

You pay Weight Watchers for access to their knowledge, and their tips and tricks. Weight Watchers takes your money, and then they also feel entitled to harvest every single datum about you, which they can then sell to others.

I’d rather keep my ass fat, thanks.

Don’t get me wrong — their mobile app has some fascinating features, like the ability to scan a UPC barcode and get a readout of how many SmartPoints that product contains. That’s cool.

Here’s what’s not cool: ironically, the Weight Watchers Mobile app may be the most voracious data gobbling application on the planet. For an app designed to tell you how not to eat too much, the Weight Watchers Mobile app is itself a data sensualist; a personal information gorger; a mobile porker of epic proportions.

It commandeers your identity, locating and consuming all details of every account on your device, and every contact you have, and exactly where you are at all times, and every single person you call, and every single person who has called you.

Then this calorie-counter gets greedy.

Let’s try and consider why Weight Watchers would want to know who calls you.

It’s reasonable that it requires you to provide it full access to the contents of your storage (since it needs to save your profile and meals and other information), and reasonable as well to allow it to take photos and videos.

I suppose it’s reasonable that Weight Watcher wants to see your WiFi connection information — after all, it needs to communicate on the network.

But in the coup d’état that was its installation, Weight Watchers already took full permission to use your network — each and every network you connect to, along with the ability to manage your document storage, receive data from the Internet, and view all your network connections. And why does it need to view all your WiFi connections? All of them?

And let’s talk unmitigated greed: Weight Watchers also demands that you provide them the ability to run their app at startup, prevent the device from sleeping, and control basically the entire device, especially and specifically including the flashlight.

The flashlight.

There is a word in the industry for this kind of application.

A software package that gobbles up the ability to run each and every aspect of the device, control when and how it starts, and run all communications, to monitor all communications in voice and data, and send and receive messages at will in all forms up to and actually, literally, including semaphore, and survive a reboot?

We refer to this as a rootkit.

Flashlight? Really?

Shame on Weight Watchers for abusing its customers in this way.