Cory Doctorow Profile picture
Jun 23 38 tweets 12 min read
When my @EFF colleague Alexis Hancock signed her baby up for daycare, she had to download a childcare management app - to monitor and specify "feedings, diaper changes, pictures, activities, and which guardian picked-up/dropped-off the child."

eff.org/deeplinks/2022… 1/ A line of kindergartners horsing around in a toddler-sized i
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

pluralistic.net/2022/06/23/pee… 2/
This was during the lockdown, and the app was a way to comply with social distancing and contact tracing rules, but it was also designed to help with "separation anxiety of newly enrolled children and their anxious parents." 3/
Alexis wasn't the only EFFer with a newborn encountering these apps. Being a digital privacy and security expert, she and her colleagues started to pick apart these apps and seek dialogue with the companies that made them. 4/
They discovered a nightmare of bad security practices, worse privacy practice, and yawning indifference to the digital wellbeing of very small children and their parents. 5/
First of all, there was the matter of account security. When Alexis and co started looking into these apps, they all shared a glaring defect: none of them implemented two-factor authentication, "one of the easiest ways to increase your security." 6/
They contacted @brightwheel, a leading childcare app vendor, who proudly announced that they were rolling out #2FA - and that this would make them the *only* childcare app to support it. 7/
Incredibly, this is true. As Alexis writes for @wired: this is "bullshit."

wired.com/story/daycare-…

Assessing whether an app has 2FA or whether it doesn't is easy: you just have to poke around in the settings. 8/
But a more comprehensive look at app security requires a more sophisticated investigation. EFF undertook a static analysis and network analysis of childcare apps and turned up some disturbing results. 9/
For example, the Android @tadpolespro app exfiltrates a *ton* of data to Facebook's Graph API, as well as extremely granular device info to Branch.io (neither company is mentioned in Tadpoles' privacy policy). 10/
Then there's @himamaapp, which stores user data in Amazon's cloud - and misleadingly labels this practice as "suited to run sensitive government applications and is used by over 300 U.S. government agencies, as well as the Navy, Treasury and NASA." 11/
The thing is, none of this activity runs on the Amazon cloud that Himama uses - it's on the AWS Govcloud, a completely separate product. 12/
There's an industry-wide gap in disclosure of which data is collected and how it is used; the disclosures they do make are misleading or incomplete.

Worse, the companies have been vastly indifferent to these problems. 13/
In "'We may share the number of diaper changes': A Privacy and Security Analysis of Mobile Child Care Applications," a paper presented at the 2022 Privacy Enhancing Technologies Symposium, a team lays these problems out in eye-watering detail:

researchgate.net/publication/35… 14/
Writing for EFF, Hancock makes a series of recommendations to the childcare app industry:

* 2FA for all admins and staff

* Address known security vulnerabilities in mobile applications

* Disclose and list any trackers and analytics and how they are used 15/
* Use hardened cloud server images. Additionally, a process in place to continuously update out-of-date technology on those servers

* Lock down any public cloud buckets hosting children’s videos and photos 16/
She also strongly recommends implementing end-to-end encryption between schools and parents: "There’s no need for the service itself to view communication being passed between schools and parents." 17/
The irony here is that all of this is happening in the context of apps, which were sold to us as "curated computing." 18/
We were promised that if we ended the practice of software authors providing code to their users, and instead let Apple and Google decide what code we were allowed to run, all the evils of software would go away:

boingboing.net/2010/04/02/why… 19/
In reality, apps are some of the dirtiest code we use. Muslim call-to-prayer apps harvest their users' data and sell it to ICE and other domestic spy agencies:

latimes.com/business/techn… 20/
Period-tracking apps share their users' sex lives, fertility data, location and other sensitive info to all comers, and will be a bonanza for bounty-hunting forced-birth advocates seeking to turn in people who have abortions for cash rewards:

web.archive.org/web/2019090922… 21/
Why are apps such a consistent dumpster-fire? Well, for one thing, apps have to be built using the app stores' specs, which are billed as imposing rigor on software authors. 22/
In reality, the overheads this imposes has driven app makers to use software development kits that sneak privacy-invading data-collection onto users. 23/
Because apps come from "app stores" and not as standalone software, app vendors can "update" their code with new, malicious behaviors and users can't "downgrade" to the earlier, superior versions. 24/
For example, when @getaudacity was taken over by dickheads who announced that the program would soon come with built-in tracking, users responded by announcing that they wouldn't install the new versions, and the company backed down:

hackaday.com/2021/07/23/new… 25/
That's not how it works for apps. A couple years ago, a trivial app I used to specify Bluetooth priority (so my phone wouldn't connect to my kid's speaker when I walked past her room) was updated to include intrusive adware that popped up ads every time I unlocked the device. 26/
Eventually I figured out what was going on and uninstalled the software, but because this was from an app store, I can't roll back to the superior, pre-adware version.

The revelations about bad data-handling in childcare apps are disturbingly predictable. 27/
These are the very same bad practices that @senwarren, @senbooker and @RonWyden have raised with mental health apps like @betterhelp and @talkspace:

theverge.com/2022/6/23/2317… 28/
It's hard to say which is more disturbing: privacy-invading, insecure mental health apps, or privacy-invading, insecure apps that track your toddler's play, sleep, location and diaper changes.

Neither is acceptable. 29/
All of this should be viewed against the backdrop of legislative and regulatory initiatives to force tech giants to give their customers more say over which apps they run, and how. 30/
In response, Big Tech companies insist that allowing software developers to directly transact with device owners will expose the public to bad privacy and security practices - insisting, against all evidence, that "mobile" is a synonym for "secure." 31/
One intriguing way out of this mess is by forcing the mobile platforms to fully support #WebApps, or at least to get out of the way developers who want to offer mobile tools to users to make Web Apps fully functional:

eff.org/deeplinks/2022… 32/
A Web App is just what it sounds like: an app that is delivered into your browser, and runs inside of it. 33/
The Web App experience *could* be (but isn't) pretty much identical to installing app store apps: choose your app, click install, grant or refuse permissions, get an icon on your home screen:

open-web-advocacy.org 34/
But because Web Apps run in browsers, they can be modified by browser plugins - like ad- and tracker-blockers. 35/
And because Web Apps are defined by open standards - not by corporate fiat handed down by monopolists whose own products compete with app developers - anyone can make a Web App development toolkit:

w3.org/standards/webd… 36/
Regular software can spy on users and steal their data, too, of course. But turning "programs" into "apps" didn't solve this problem - it just limited users' ability to defend themselves, making them reliant on two companies to decide what protections they deserve. 37/

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Cory Doctorow

Cory Doctorow Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @doctorow

Jun 25
Paul Delaroche (French, 1797-1856)
Saint Sebastian, 19th century
starrywisdomsect.tumblr.com/post/688048843… Image
Lovecraft was notorious for saving and reusing paper while outlining and writing his stories. starrywisdomsect.tumblr.com/post/688048857… ImageImageImageImage
Here, taken from the first dozen pages of his handwritten manuscript of “The Case of Charles Dexter Ward” (1927) we see him repurpose letters bearing letterheads from The Century Company... starrywisdomsect.tumblr.com/post/688048857… ImageImageImageImage
Read 4 tweets
Jun 25
Today's Twitter threads (a Twitter thread).

Inside: The oligarchs' Supreme Court; and more!

Archived at: pluralistic.net/2022/06/25/roe…

#Pluralistic 1/ A flaming dumpster set in a...
Sponsor me for the @ClarionUCSD Write-A-Thon! I'm writing 10,000 words on my prison-tech thriller "Some Men Rob You With a Fountain Pen" and raising scholarship money for the Clarion SF/F workshop, which I graduated from in 1992.

clarionwriteathon.com/members/profil… 2/
The oligarchs' Supreme Court: Getting turkeys to vote for Christmas ain't cheap.

3/ Image: EFF (modified) https...
Read 23 tweets
Jun 25
Here's something weird: in the wake of Roe v Wade in the 1970s, the Southern Baptist Convention repeatedly passed resolutions affirming the right to abortion and rejecting government interference in the decision to bear a child to term:

text.npr.org/734303135 1/ A flaming dumpster set in a...
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

pluralistic.net/2022/06/25/roe… 2/
Back then, white evangelicals were deeply suspicious of people who opposed abortion. Getting too worked up about the issue was a sign of crypto-papacy, and back then, white evangelicals *hated* Catholics:

doctorow.medium.com/schizmogenesis… 3/
Read 57 tweets
Jun 25
Doorway to Yesterday, Disneyland press photo adventurelandia.tumblr.com/post/687992368… Image
Frankenstein (1910) Directed By: J. Searle Dawley & Produced By Thomas Edison wilwheaton.tumblr.com/post/687994603…
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(