Tweet

Cory Doctorow

Jun 23 • 38 tweets • 12 min read

@EFF

When my @EFF colleague Alexis Hancock signed her baby up for daycare, she had to download a childcare management app - to monitor and specify "feedings, diaper changes, pictures, activities, and which guardian picked-up/dropped-off the child."

eff.org/deeplinks/2022… 1/

If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

pluralistic.net/2022/06/23/pee… 2/

This was during the lockdown, and the app was a way to comply with social distancing and contact tracing rules, but it was also designed to help with "separation anxiety of newly enrolled children and their anxious parents." 3/

Alexis wasn't the only EFFer with a newborn encountering these apps. Being a digital privacy and security expert, she and her colleagues started to pick apart these apps and seek dialogue with the companies that made them. 4/

They discovered a nightmare of bad security practices, worse privacy practice, and yawning indifference to the digital wellbeing of very small children and their parents. 5/

First of all, there was the matter of account security. When Alexis and co started looking into these apps, they all shared a glaring defect: none of them implemented two-factor authentication, "one of the easiest ways to increase your security." 6/

@brightwheel

They contacted @brightwheel, a leading childcare app vendor, who proudly announced that they were rolling out #2FA - and that this would make them the *only* childcare app to support it. 7/

@wired

Incredibly, this is true. As Alexis writes for @wired: this is "bullshit."

wired.com/story/daycare-…

Assessing whether an app has 2FA or whether it doesn't is easy: you just have to poke around in the settings. 8/

But a more comprehensive look at app security requires a more sophisticated investigation. EFF undertook a static analysis and network analysis of childcare apps and turned up some disturbing results. 9/

@tadpolespro

For example, the Android @tadpolespro app exfiltrates a *ton* of data to Facebook's Graph API, as well as extremely granular device info to Branch.io (neither company is mentioned in Tadpoles' privacy policy). 10/

@himamaapp

Then there's @himamaapp, which stores user data in Amazon's cloud - and misleadingly labels this practice as "suited to run sensitive government applications and is used by over 300 U.S. government agencies, as well as the Navy, Treasury and NASA." 11/

The thing is, none of this activity runs on the Amazon cloud that Himama uses - it's on the AWS Govcloud, a completely separate product. 12/

There's an industry-wide gap in disclosure of which data is collected and how it is used; the disclosures they do make are misleading or incomplete.

Worse, the companies have been vastly indifferent to these problems. 13/

In "'We may share the number of diaper changes': A Privacy and Security Analysis of Mobile Child Care Applications," a paper presented at the 2022 Privacy Enhancing Technologies Symposium, a team lays these problems out in eye-watering detail:

researchgate.net/publication/35… 14/

Writing for EFF, Hancock makes a series of recommendations to the childcare app industry:

* 2FA for all admins and staff

* Address known security vulnerabilities in mobile applications

* Disclose and list any trackers and analytics and how they are used 15/

* Use hardened cloud server images. Additionally, a process in place to continuously update out-of-date technology on those servers

* Lock down any public cloud buckets hosting children’s videos and photos 16/

She also strongly recommends implementing end-to-end encryption between schools and parents: "There’s no need for the service itself to view communication being passed between schools and parents." 17/

The irony here is that all of this is happening in the context of apps, which were sold to us as "curated computing." 18/

We were promised that if we ended the practice of software authors providing code to their users, and instead let Apple and Google decide what code we were allowed to run, all the evils of software would go away:

boingboing.net/2010/04/02/why… 19/

In reality, apps are some of the dirtiest code we use. Muslim call-to-prayer apps harvest their users' data and sell it to ICE and other domestic spy agencies:

latimes.com/business/techn… 20/

Period-tracking apps share their users' sex lives, fertility data, location and other sensitive info to all comers, and will be a bonanza for bounty-hunting forced-birth advocates seeking to turn in people who have abortions for cash rewards:

web.archive.org/web/2019090922… 21/

Why are apps such a consistent dumpster-fire? Well, for one thing, apps have to be built using the app stores' specs, which are billed as imposing rigor on software authors. 22/

In reality, the overheads this imposes has driven app makers to use software development kits that sneak privacy-invading data-collection onto users. 23/

Because apps come from "app stores" and not as standalone software, app vendors can "update" their code with new, malicious behaviors and users can't "downgrade" to the earlier, superior versions. 24/

@getaudacity

For example, when @getaudacity was taken over by dickheads who announced that the program would soon come with built-in tracking, users responded by announcing that they wouldn't install the new versions, and the company backed down:

hackaday.com/2021/07/23/new… 25/

That's not how it works for apps. A couple years ago, a trivial app I used to specify Bluetooth priority (so my phone wouldn't connect to my kid's speaker when I walked past her room) was updated to include intrusive adware that popped up ads every time I unlocked the device. 26/

Eventually I figured out what was going on and uninstalled the software, but because this was from an app store, I can't roll back to the superior, pre-adware version.

The revelations about bad data-handling in childcare apps are disturbingly predictable. 27/

@senwarren

These are the very same bad practices that @senwarren, @senbooker and @RonWyden have raised with mental health apps like @betterhelp and @talkspace:

theverge.com/2022/6/23/2317… 28/

It's hard to say which is more disturbing: privacy-invading, insecure mental health apps, or privacy-invading, insecure apps that track your toddler's play, sleep, location and diaper changes.

Neither is acceptable. 29/

All of this should be viewed against the backdrop of legislative and regulatory initiatives to force tech giants to give their customers more say over which apps they run, and how. 30/

In response, Big Tech companies insist that allowing software developers to directly transact with device owners will expose the public to bad privacy and security practices - insisting, against all evidence, that "mobile" is a synonym for "secure." 31/

One intriguing way out of this mess is by forcing the mobile platforms to fully support #WebApps, or at least to get out of the way developers who want to offer mobile tools to users to make Web Apps fully functional:

eff.org/deeplinks/2022… 32/

A Web App is just what it sounds like: an app that is delivered into your browser, and runs inside of it. 33/

The Web App experience *could* be (but isn't) pretty much identical to installing app store apps: choose your app, click install, grant or refuse permissions, get an icon on your home screen:

open-web-advocacy.org 34/

But because Web Apps run in browsers, they can be modified by browser plugins - like ad- and tracker-blockers. 35/

And because Web Apps are defined by open standards - not by corporate fiat handed down by monopolists whose own products compete with app developers - anyone can make a Web App development toolkit:

w3.org/standards/webd… 36/

Regular software can spy on users and steal their data, too, of course. But turning "programs" into "apps" didn't solve this problem - it just limited users' ability to defend themselves, making them reliant on two companies to decide what protections they deserve. 37/