1
00:00:00,000 --> 00:00:19,770
36C3 preroll music
2
00:00:19,770 --> 00:00:25,070
Herald: It is my honor to introduce you
today to Eva and Chris. Eva, she is a
3
00:00:25,070 --> 00:00:29,440
senior researcher at Privacy
International. She works on gender,
4
00:00:29,440 --> 00:00:34,680
economical and social rights and how they
interplay with the right to privacy,
5
00:00:34,680 --> 00:00:40,430
especially in marginalized communities.
Chris, she is the privacy lead at
6
00:00:40,430 --> 00:00:46,370
technology lead at Privacy International.
And his day-to-day job is to expose
7
00:00:46,370 --> 00:00:51,290
company and how they profit from
individuals and specifically today they
8
00:00:51,290 --> 00:00:59,230
will tell us how these companies can even
profit from your menstruations. Thank you.
9
00:00:59,230 --> 00:01:00,470
Chris: Thank you.
10
00:01:00,470 --> 00:01:05,200
applause
11
00:01:05,200 --> 00:01:13,860
C: Hi, everyone. It's nice to be back at
CCC. I was at CCC last year. If you heard
12
00:01:13,860 --> 00:01:18,580
my talk from last year, this is going to
be like a slightly vague part 2. And if
13
00:01:18,580 --> 00:01:21,680
you're not, I'm just gonna give you a very
brief recap because there is a
14
00:01:21,680 --> 00:01:28,380
relationship between the two. So, I will
give you a little bit of background about
15
00:01:28,380 --> 00:01:32,540
how this project started. Then we get to a
little bit about menstruation apps and
16
00:01:32,540 --> 00:01:38,040
what a menstruation app actually is. Let
me talk a little bit through some of the
17
00:01:38,040 --> 00:01:42,250
data that these these apps are collecting
and talk how we did our research, our
18
00:01:42,250 --> 00:01:48,390
research methodology and then what our
findings are and our conclusions. So last
19
00:01:48,390 --> 00:01:54,640
year, I and a colleague did a project
around how Facebook collects data about
20
00:01:54,640 --> 00:02:03,670
users on Android devices using the Android
Facebook SDK. And this is whether you have
21
00:02:03,670 --> 00:02:09,540
a Facebook account or not. And for that
project, we really looked when you first
22
00:02:09,540 --> 00:02:13,740
opened apps and didn't really have to do
very much interaction with them
23
00:02:13,740 --> 00:02:23,560
particularily, about the automatic sending
of data in a post GDPR context. And so we
24
00:02:23,560 --> 00:02:30,170
looked a load of apps for that project,
including a couple of period trackers. And
25
00:02:30,170 --> 00:02:36,820
that kind of led onto this project because
we were seeing loads of apps, across
26
00:02:36,820 --> 00:02:42,820
different areas of categories. So we
thought we'd like hone in a little bit on
27
00:02:42,820 --> 00:02:48,570
period trackers to see what kind of data,
because they're by far more sensitive than
28
00:02:48,570 --> 00:02:52,600
many of the other apps on there, like you
might consider your music history to be
29
00:02:52,600 --> 00:03:03,690
very sensitive.... laughs So. Yeah. So,
just a quick update on the previous work
30
00:03:03,690 --> 00:03:11,850
from last year. We actually followed up
with all of the companies from that, from
31
00:03:11,850 --> 00:03:17,450
that report. And by the end of like going
through multiple rounds of response, over
32
00:03:17,450 --> 00:03:22,410
60 percent of them a changed practices
either by disabling the Facebook SDK in
33
00:03:22,410 --> 00:03:30,699
their app or by disabling it until you
gave consent or removing it entirely. So I
34
00:03:30,699 --> 00:03:35,690
pass over to Eva Blum-Dumontet. She's
going to talk you through menstruation
35
00:03:35,690 --> 00:03:38,850
apps.
Eva: So I just want to make sure that
36
00:03:38,850 --> 00:03:42,310
we're all on the same page. Although if
you didn't know what a menstruation app is
37
00:03:42,310 --> 00:03:47,790
and you still bothered coming to this
talk, I'm extremely grateful. So how many
38
00:03:47,790 --> 00:03:53,540
of you are are using a menstruation app or
have a partner, who's been using a
39
00:03:53,540 --> 00:03:58,330
menstruation app? Oh my God. Oh, okay. I
didn't expect that. I thought it was going
40
00:03:58,330 --> 00:04:03,440
to be much less. Okay. Well, for the few
of you who still might not know what a
41
00:04:03,440 --> 00:04:07,670
menstruation app is, I'm still going to go
quickly through what a menstruation app
42
00:04:07,670 --> 00:04:15,520
is. It's the idea of a menstruation app.
We also call them period tracker. It's to
43
00:04:15,520 --> 00:04:21,500
have an app that tracks your menstruation
cycle. So that they tell you what days
44
00:04:21,500 --> 00:04:26,720
you're most fertile. And you can
obviously, if you're using them to try and
45
00:04:26,720 --> 00:04:32,840
get pregnant or if you have, for example,
a painful period, you can sort of plan
46
00:04:32,840 --> 00:04:39,660
accordingly. So that's essentially the
main 2 reasons users would be would be
47
00:04:39,660 --> 00:04:48,470
looking into using menstruation apps:
pregnancy, period tracking. Now, how did
48
00:04:48,470 --> 00:04:53,880
this research starts? As Chris said,
obviously there was whole research that
49
00:04:53,880 --> 00:05:01,270
had been done by Privacy International
last year on various apps. And as Chris
50
00:05:01,270 --> 00:05:08,660
also already said what I was particularly
interested in was the kind of data that
51
00:05:08,660 --> 00:05:13,220
menstruation apps are collecting, because
as we'll explain in this talk, it's really
52
00:05:13,220 --> 00:05:21,800
actually not just limited to menstruation
cycle. And so I was interested in seeing
53
00:05:21,800 --> 00:05:26,820
what actually happens to the data when it
is being shared. So I should say we're
54
00:05:26,820 --> 00:05:31,530
really standing on the shoulders of giants
when it comes to this research. There was
55
00:05:31,530 --> 00:05:35,660
previously existing research on
menstruation apps that was done by a
56
00:05:35,660 --> 00:05:40,930
partner organization, Coding Rights in
Brazil. So they had done research on the
57
00:05:40,930 --> 00:05:46,690
kind of data that was collected by
menstruation apps and the granularity of
58
00:05:46,690 --> 00:05:52,080
this data. Yet, a very interesting thing
that we're looking at was the gender
59
00:05:52,080 --> 00:05:59,030
normativity of those apps. Chris and I
have been looking at, you know, dozens of
60
00:05:59,030 --> 00:06:03,280
these apps and, you know, they have
various data showing practices, as we'll
61
00:06:03,280 --> 00:06:07,870
explain in the stock. But they have one
thing that all of them have in common is
62
00:06:07,870 --> 00:06:16,150
that they are all pink. The other thing is
that they talk to their users as woman.
63
00:06:16,150 --> 00:06:20,550
They, you know, don't want sort of even
compute the fact that maybe not all their
64
00:06:20,550 --> 00:06:30,280
users are woman. So there is a very sort
of like narrow perspective of pregnancy
65
00:06:30,280 --> 00:06:41,020
and females' bodies and how does female
sexuality function. Now, as I was saying,
66
00:06:41,020 --> 00:06:45,060
when you're using a menstruation app, it's
not just your menstruation cycle that
67
00:06:45,060 --> 00:06:55,330
you're entering. So this is some of the
questions that menstruation apps ask: So
68
00:06:55,330 --> 00:07:01,090
sex; There is a lot about sex that they
want to know? How often, is it protected
69
00:07:01,090 --> 00:07:08,420
or unprotected? Are you smoking? Are you
drinking? Are you partying? How often? We
70
00:07:08,420 --> 00:07:16,880
even had one app that was asking about
masturbation, your sleeping pattern, your
71
00:07:16,880 --> 00:07:22,930
coffee drinking habits. One thing that's
really interesting is that - and we'll
72
00:07:22,930 --> 00:07:28,910
talk a little bit more again about this
later - but there's very strong data
73
00:07:28,910 --> 00:07:34,071
protection laws in Europe called GDPR as
most of you will know. And it says that
74
00:07:34,071 --> 00:07:38,419
only data that's strictly necessary should
be collected. So I'm still unclear what
75
00:07:38,419 --> 00:07:46,980
masturbation has to do with tracking your
menstruation cycle, but... Other thing
76
00:07:46,980 --> 00:07:56,480
that was collected is about your health
and the reason health is so important is
77
00:07:56,480 --> 00:07:59,980
also related to data protection laws
because when you're collecting health
78
00:07:59,980 --> 00:08:04,730
data, you need to show that you're taking
an extra step to collect this data because
79
00:08:04,730 --> 00:08:11,460
it's considered sensitive personal data.
So extra steps in terms of getting
80
00:08:11,460 --> 00:08:17,170
explicit consent from the users but also
through steps on behalf of the data
81
00:08:17,170 --> 00:08:22,060
controller, in terms of showing that
they're making extra steps for the
82
00:08:22,060 --> 00:08:28,790
security of this data. So this is the type
of question that was asked. There is so
83
00:08:28,790 --> 00:08:34,560
much asked about vaginal discharge and
what kind of vaginal discharge you get
84
00:08:34,560 --> 00:08:39,879
with all sorts of weird adjectives for
this: "Tiki, creamy". So yeah, they
85
00:08:39,879 --> 00:08:49,070
clearly thought a lot about this. And it
is a lot about mood as well. Even, yeah, I
86
00:08:49,070 --> 00:08:56,190
didn't know 'romantic' was a mood but
apparently it is. And what's interesting
87
00:08:56,190 --> 00:09:01,900
obviously about mood in the context where,
you know, we've seen stories like
88
00:09:01,900 --> 00:09:07,000
Cambridge Analytica, for example. So we
know how much companies, we know how much
89
00:09:07,000 --> 00:09:11,940
political parties are trying to understand
how we think, how we feel. So that's
90
00:09:11,940 --> 00:09:17,490
actually quite significant that you have
an app that's collecting information about
91
00:09:17,490 --> 00:09:24,110
how we feel on a daily basis. And
obviously, like when people enter all
92
00:09:24,110 --> 00:09:29,200
these data, their expectation at that
point is that the data stays between
93
00:09:29,200 --> 00:09:35,481
between them and the app. And actually,
there is very little in the privacy policy
94
00:09:35,481 --> 00:09:41,930
that could that would normally suggest
that it was. So this is the moment where I
95
00:09:41,930 --> 00:09:45,710
actually should say we're not making this
up; like literally everything in this list
96
00:09:45,710 --> 00:09:51,750
of questions were things, literal terms,
that they were asking. So we set out to
97
00:09:51,750 --> 00:09:55,400
look at the most popular menstruation
apps. Do you want to carry on?
98
00:09:55,400 --> 00:09:59,840
Chris: Yeah. I forgot to introduce myself
as well. Really? That's a terrible
99
00:09:59,840 --> 00:10:02,440
speaking habit.
Eva: Christopher Weatherhead..
100
00:10:02,440 --> 00:10:08,740
Chris: .. Privacy International's
technology lead. So yeah.. What I said
101
00:10:08,740 --> 00:10:11,580
about our previous research, we have
actually looked at most of the very
102
00:10:11,580 --> 00:10:17,990
popular menstruation apps, the ones that
have hundreds of thousands of downloads.
103
00:10:17,990 --> 00:10:21,910
And these apps - like as we're saying that
this kind of work has been done before. A
104
00:10:21,910 --> 00:10:25,560
lot of these apps that come into quite a
lot of criticism, I'd spare you the free
105
00:10:25,560 --> 00:10:30,460
advertising about which ones particularly
but most of them don't do anything
106
00:10:30,460 --> 00:10:36,500
particularly outrageous, at least between
the app and the developers' servers. A lot
107
00:10:36,500 --> 00:10:39,470
of them don't share with third parties at
that stage. So you can't look between the
108
00:10:39,470 --> 00:10:43,850
app and the server to see what they're
sharing. They might be sharing data from
109
00:10:43,850 --> 00:10:48,270
the developers' server to Facebook or to
other places but at least you can't see
110
00:10:48,270 --> 00:10:55,600
in-between. But we're an international
organization and we work around the globe.
111
00:10:55,600 --> 00:11:01,260
And most of the apps that get the most
downloads are particularly Western, U.S.,
112
00:11:01,260 --> 00:11:07,700
European but they're not the most popular
apps necessarily in a context like India
113
00:11:07,700 --> 00:11:12,810
and the Philippines and Latin America. So
we thought we'd have a look and see those
114
00:11:12,810 --> 00:11:17,330
Apps. They're all available in Europe but
they're not necessarily the most popular
115
00:11:17,330 --> 00:11:23,330
in Europe. And this is where things
started getting interesting. So what
116
00:11:23,330 --> 00:11:29,520
exactly did we do? Well, we started off by
triaging through a large number of period
117
00:11:29,520 --> 00:11:36,270
trackers. And as Eva said earlier: every
logo must be pink. And we were just kind
118
00:11:36,270 --> 00:11:40,420
of looking through to see how many
trackers - this is using extras (?)
119
00:11:40,420 --> 00:11:46,600
privacy. We have our own instance in PI
and we just looked through to see how many
120
00:11:46,600 --> 00:11:50,780
trackers and who the trackers were. So,
for example, this is Maya, which is
121
00:11:50,780 --> 00:11:54,519
exceptionally popular in India,
predominantly - it's made by an Indian
122
00:11:54,519 --> 00:12:01,050
company. And as you can see, it's got a
large number of trackers in it: a
123
00:12:01,050 --> 00:12:09,230
CleverTap, Facebook, Flurry, Google and
Inmobi? So we went through this process and
124
00:12:09,230 --> 00:12:14,780
this allowed us to cut down... There's
hundreds of period trackers. Not all of
125
00:12:14,780 --> 00:12:18,769
them are necessarily bad but it's nice to
try to see which ones had the most
126
00:12:18,769 --> 00:12:24,500
trackers, where they were used and try and
just triage them a little bit. From this,
127
00:12:24,500 --> 00:12:33,190
we then run through PI's interception
environment, which is a VM that I've made.
128
00:12:33,190 --> 00:12:37,410
I actually made it last year for the talk
I gave last year. And I said I'd release
129
00:12:37,410 --> 00:12:40,620
it after the talk and took me like three
months to release it but it's now
130
00:12:40,620 --> 00:12:45,420
available. You can go onto PI's website
and download it. It's a man in the middle
131
00:12:45,420 --> 00:12:52,860
proxy with a few settings - mainly for
looking at iOS and Android apps to do data
132
00:12:52,860 --> 00:12:59,210
interception between them. And so we run
through that and we got to have a look at
133
00:12:59,210 --> 00:13:05,030
all the data that's being sent to and from
both the app developer and third parties.
134
00:13:05,030 --> 00:13:10,810
And here's what we found.
Eva: So out of the six apps we looked out,
135
00:13:10,810 --> 00:13:17,920
five shared data with Facebook. Out of
those five, three pinged Facebook to let
136
00:13:17,920 --> 00:13:23,990
them know when their users were
downloading the app and opening the app.
137
00:13:23,990 --> 00:13:29,759
And that's already quite significant
information and we'll get to that later.
138
00:13:29,759 --> 00:13:37,060
Now, what's actually interesting and the
focus of a report was on the two apps that
139
00:13:37,060 --> 00:13:42,040
shared every single piece of information
that their users entered with Facebook and
140
00:13:42,040 --> 00:13:49,820
other third parties. So just to brief you:
the two apps we focused on are both called
141
00:13:49,820 --> 00:13:55,330
Maya. So that's all very helpful. One is
spelled Maya: M-a-y-a. The other ones
142
00:13:55,330 --> 00:14:01,100
spellt Mia M-I-A. So, yeah, just bear with
me because this is actually quite
143
00:14:01,100 --> 00:14:09,800
confusing. But so initially we'll focus on
Maya, which is - as Chris mentioned - an
144
00:14:09,800 --> 00:14:16,190
app that's based in India. There have a
user base of several millions. Their are
145
00:14:16,190 --> 00:14:27,080
based in India. Userbase, mostly in India,
also quite popular in the Philippines. So
146
00:14:27,080 --> 00:14:30,470
what's interesting with Maya is that they
start sharing data with Facebook before
147
00:14:30,470 --> 00:14:34,800
you even get you agree to their privacy
policy. So I should say already about the
148
00:14:34,800 --> 00:14:39,320
privacy policy of a lot of those apps that
we looked at is that they are literally
149
00:14:39,320 --> 00:14:48,380
the definition of small prints. It's very
hard to read. It's legalese language. It
150
00:14:48,380 --> 00:14:53,620
really puts into perspective the whole
question of consent in GDPR because GDPR
151
00:14:53,620 --> 00:14:58,209
says like the consents must be informed.
So you must be able to understand what
152
00:14:58,209 --> 00:15:03,950
you're consenting to. When you're reading
this extremely long, extremely opaque
153
00:15:03,950 --> 00:15:09,069
privacy policies of a lot - literally all
the menstruation apps we've looked at,
154
00:15:09,069 --> 00:15:14,310
excluding one that didn't even bother
putting their privacy policy, actually.
155
00:15:14,310 --> 00:15:20,360
It's opaque. It's very hard to understand
and - absolutely, definitely, do not say
156
00:15:20,360 --> 00:15:25,480
that they're sharing information with
Facebook. As I said, data sharing happened
157
00:15:25,480 --> 00:15:29,740
before you get to agree to their privacy
policy. The other thing that's also worth
158
00:15:29,740 --> 00:15:33,490
remembering is that when to share
information with Facebook - doesn't matter
159
00:15:33,490 --> 00:15:39,180
if you have a Facebook account or not, the
information still being relayed. The other
160
00:15:39,180 --> 00:15:43,720
interesting thing that you'll notice as
well in several of the slides is that the
161
00:15:43,720 --> 00:15:48,760
information that's being shared is tied to
your identity through your unique ID
162
00:15:48,760 --> 00:15:54,640
identifiers, also your email address. But
basically most of the questions we got
163
00:15:54,640 --> 00:16:00,220
when we released the research was like:
oh, if I use a fake email address or if I
164
00:16:00,220 --> 00:16:06,079
use a fake name, is that OK? Well, it's
not because even if you have a Facebook
165
00:16:06,079 --> 00:16:13,089
account through your unique identifier,
they would definitely be able to trace you
166
00:16:13,089 --> 00:16:21,810
backs. There is no way to actually
anonymize this process unless - well at
167
00:16:21,810 --> 00:16:27,420
the end, unless you deliberately trying to
trick it and use a separate phone
168
00:16:27,420 --> 00:16:34,040
basically for regular users. It's quite
difficult. So this is what it looks like
169
00:16:34,040 --> 00:16:41,620
when you enter the data. So as I said, I
didn't lie to you. This is the kind of
170
00:16:41,620 --> 00:16:49,340
questions they're asking you. And this is
what it looks like when it's being shared
171
00:16:49,340 --> 00:16:54,930
with Facebook. So you see the symptomes
changing, for example, like blood
172
00:16:54,930 --> 00:17:00,339
pressure, swelling, acne, that's all being
shipped through craft out Facebook,
173
00:17:00,339 --> 00:17:06,350
through the Facebook SDK. This is what it
looks like when they show you
174
00:17:06,350 --> 00:17:11,729
contraceptive practice, so again, like
we're talking health data. Here we're
175
00:17:11,729 --> 00:17:17,890
talking sensitive data. We're talking
about data that shouldn't normally require
176
00:17:17,890 --> 00:17:22,309
extra steps in terms of collecting it, in
terms of how it's being processed. But
177
00:17:22,309 --> 00:17:28,840
nope, in this case it was shared exactly
like the rest. This's what it looks like.
178
00:17:28,840 --> 00:17:33,709
Well, so, yeah with sex life it was a
little bit different. So that's what it
179
00:17:33,709 --> 00:17:37,511
looks like when they're asking you about,
you know, you just had sex, was it
180
00:17:37,511 --> 00:17:44,550
protected? Was it unprotected? The way it
was shared with Facebook was a little bit
181
00:17:44,550 --> 00:17:51,490
cryptic, so to speak. So if you have
protected sex, it was entered as love "2",
182
00:17:51,490 --> 00:17:57,779
unprotected sex was entered as Love "3". I
managed to figure that out pretty quickly.
183
00:17:57,779 --> 00:18:07,000
So it's not so cryptic. That's also quite
funny. So Maya had a diary section where
184
00:18:07,000 --> 00:18:12,920
they encourage people to enter like their
notes and your personal faults. And I
185
00:18:12,920 --> 00:18:18,680
mean, it's a menstruation app so you can
sort of get the idea of what people are
186
00:18:18,680 --> 00:18:21,899
going to be writing down in there or
expected to write on. It's not going to be
187
00:18:21,899 --> 00:18:26,429
their shopping list, although shopping
lists could also be personal, sensitive,
188
00:18:26,429 --> 00:18:33,049
personal information, but.. So we were
wondering what would happen if you were to
189
00:18:33,049 --> 00:18:38,429
write in this in this diary and how this
data would be processed. So we entered
190
00:18:38,429 --> 00:18:42,379
literally we entered something very
sensitive, entered here. This is what we
191
00:18:42,379 --> 00:18:53,409
wrote. And literally everything we wrote
was shared with Facebook. Maya also shared
192
00:18:53,409 --> 00:18:58,080
your health data, not just with Facebook,
but with a company called CleverTap that's
193
00:18:58,080 --> 00:19:05,440
based in California. So what's CleverTap?
CleverTap is a data broker, basically.
194
00:19:05,440 --> 00:19:11,520
It's a company that - sort of similar to
Facebook with the Facebook SDK. They
195
00:19:11,520 --> 00:19:16,950
expect of developers to hand over the data
and in exchange app developers get
196
00:19:16,950 --> 00:19:23,679
insights about like how people use the
app, what time of day. You know, the age
197
00:19:23,679 --> 00:19:30,789
of their users. They get all sorts of
information and analytics out of the data
198
00:19:30,789 --> 00:19:38,889
they share with this company. It took us
some time to figure it out because it
199
00:19:38,889 --> 00:19:43,020
shared as wicked wizard?
Chris: Wicket Rocket.
200
00:19:43,020 --> 00:19:50,009
Eva: Wicket Rocket, yeah. But that's
exactly the same. Everything that was
201
00:19:50,009 --> 00:19:57,340
shared with Facebook was also shared with
CleverTap again, with the email address
202
00:19:57,340 --> 00:20:04,989
that we were using - everything. Let's
shift. Now, let's look at the other Mia.
203
00:20:04,989 --> 00:20:10,110
It's not just the name that's similar,
it's also the data showing practices. Mia
204
00:20:10,110 --> 00:20:18,320
is based in Cypress, so in European Union.
I should say, in all cases, regardless of
205
00:20:18,320 --> 00:20:22,120
where the company is based, the moment
that they market the product in European
206
00:20:22,120 --> 00:20:29,460
Union, so like literally every app we
looked at, they need to - well they should
207
00:20:29,460 --> 00:20:40,479
respect GDPR. Our European data protection
law. Now, the first thing that Mia asked
208
00:20:40,479 --> 00:20:44,940
when you started the app and again - I'll
get to that later about the significance
209
00:20:44,940 --> 00:20:49,710
of this - is why you're using the app or
you using it to try and get pregnant or
210
00:20:49,710 --> 00:20:55,879
are you just using it to try to track your
periods? Now, it's interesting because it
211
00:20:55,879 --> 00:21:00,070
doesn't change at all the way you interact
with the app eventually. The apps stays
212
00:21:00,070 --> 00:21:05,179
exactly the same. But this is actually the
most important kind of data. This is
213
00:21:05,179 --> 00:21:11,419
literally called the germ of data
collection. It's trying to know when a
214
00:21:11,419 --> 00:21:15,970
woman is trying to get pregnant or not. So
the reason this is the first question they
215
00:21:15,970 --> 00:21:21,389
ask is, well my guess on this is - they
want to make sure that like even if you
216
00:21:21,389 --> 00:21:25,630
don't actually use the app that's at least
that much information they can collect
217
00:21:25,630 --> 00:21:31,510
about you. And so this information was
shared immediately with Facebook and with
218
00:21:31,510 --> 00:21:36,529
AppsFlyer. AppsFlyer is very similar to
CleverTap in the way it works. It's also a
219
00:21:36,529 --> 00:21:44,470
company that collects data from these apps
and that as services in terms of analytics
220
00:21:44,470 --> 00:21:54,479
and insights into user behavior. It's
based in Israel. So this is what it looks
221
00:21:54,479 --> 00:22:04,710
like when you enter the information. Yeah,
masturbation, pill. What kind of pill
222
00:22:04,710 --> 00:22:10,760
you're taking, your lifestyle habits. Now
where it's slightly different is that the
223
00:22:10,760 --> 00:22:15,960
information doesn't immediately get shared
with Facebook but based on the information
224
00:22:15,960 --> 00:22:22,559
you enter, you get articles that are
tailored for you. So, for example, like
225
00:22:22,559 --> 00:22:27,359
when you select masturbation, you will
get, you know, masturbation: what you want
226
00:22:27,359 --> 00:22:35,850
to know but are ashamed to ask. Now,
what's eventually shared with Facebook is
227
00:22:35,850 --> 00:22:43,159
actually the kind of article that's being
offered to you. So basically, yes, the
228
00:22:43,159 --> 00:22:50,220
information is shared indirectly because
then you know you have Facebook and...
229
00:22:50,220 --> 00:22:52,929
You've just entered masturbation because
you're getting an article about
230
00:22:52,929 --> 00:22:58,940
masturbation. So this is what happened
when you enter alcohol. So expected
231
00:22:58,940 --> 00:23:02,630
effects of alcohol on a woman's body.
That's what happened when you enter
232
00:23:02,630 --> 00:23:06,149
"unprotected sex". So effectively, all the
information is still shared just
233
00:23:06,149 --> 00:23:14,440
indirectly through the articles you're
getting. Yeah. Last thing also, I should
234
00:23:14,440 --> 00:23:18,449
say on this, in terms of the articles that
you're getting, is that sometimes there
235
00:23:18,449 --> 00:23:23,489
was sort of also kind of like crossing the
data.. was like.. so the articles will be
236
00:23:23,489 --> 00:23:30,479
about like: oh, you have cramps outside of
your periods, for example, like during
237
00:23:30,479 --> 00:23:37,070
your fertile phase. And so you will get
the article specifically for this and the
238
00:23:37,070 --> 00:23:42,559
information that's shared with Facebook
and with AppsFlyer is that this person is
239
00:23:42,559 --> 00:23:49,470
in their fertile period in this phase of
their cycles and having cramps. Now, why
240
00:23:49,470 --> 00:23:52,370
are menstruation apps so obsessed with
finding out if you're trying to get
241
00:23:52,370 --> 00:23:59,840
pregnant? And so, this goes back to a lot
of the things I mentioned before that, you
242
00:23:59,840 --> 00:24:04,039
know, about wanting to know in the very
first place if you're trying to get
243
00:24:04,039 --> 00:24:10,260
pregnant or not. And also, this is
probably why a lot of those apps are
244
00:24:10,260 --> 00:24:16,729
trying to really nail down in their
language and discourse how you're using
245
00:24:16,729 --> 00:24:23,169
the apps for. When a person is pregnant,
they're purchasing habit, their consumer
246
00:24:23,169 --> 00:24:29,910
habits change. Obviously, you know, you
buy not only for yourself but you start
247
00:24:29,910 --> 00:24:36,669
buying for others as well. But also you're
buying new things you've never purchased
248
00:24:36,669 --> 00:24:41,549
before. So what a regular person will be
quite difficult to change her purchasing
249
00:24:41,549 --> 00:24:47,549
habit was a person that's pregnant.
They'll be advertisers will be really keen
250
00:24:47,549 --> 00:24:52,869
to target them because this is a point of
their life where their habits change and
251
00:24:52,869 --> 00:24:58,440
where they can be more easily influenced
one way or another. So in other words,
252
00:24:58,440 --> 00:25:03,960
it's pink advertising time. In other more
words and pictures, there's research done
253
00:25:03,960 --> 00:25:12,119
in 2014 in the US that was trying to sort
of evaluate the value of data for a
254
00:25:12,119 --> 00:25:19,320
person. So an average American person
that's not pregnant was 10 cents. A person
255
00:25:19,320 --> 00:25:29,250
who's pregnant would be one dollar fifty.
So you may have noticed we using the past
256
00:25:29,250 --> 00:25:33,020
tense when we talked about - well I hope I
did when I was speaking definitely into
257
00:25:33,020 --> 00:25:38,359
the lights at least - we used the past
tense when we talk about data sharing of
258
00:25:38,359 --> 00:25:43,330
these apps. That's because both Maya and
MIA, which were the two apps we were
259
00:25:43,330 --> 00:25:47,980
really targeting with this report, stop
using the Facebook SDK when we wrote to
260
00:25:47,980 --> 00:25:51,089
them about our research
before we published it.
261
00:25:51,089 --> 00:26:00,789
applause
So it was quite nice because he didn't
262
00:26:00,789 --> 00:26:05,690
even like rely on actually us publishing
the report. It was merely at a stage of
263
00:26:05,690 --> 00:26:09,979
like, hey, this is all right of response.
We're gonna be publishing this. Do you
264
00:26:09,979 --> 00:26:13,549
have anything to say about this? And
essentially what they had to say is like:
265
00:26:13,549 --> 00:26:21,260
"Yep, sorry, apologies. We are stopping
this." I think, you know.. What's really
266
00:26:21,260 --> 00:26:27,529
interesting as well to me about like the
how quick the response was is.. it really
267
00:26:27,529 --> 00:26:34,159
shows how this is not a vital service for
them. This is a plus. This is something
268
00:26:34,159 --> 00:26:41,679
that's a useful tool. But the fact that
they immediately could just stop using it,
269
00:26:41,679 --> 00:26:48,269
I think really shows that, you know, it
was.. I wouldn't see a lazy practice, but
270
00:26:48,269 --> 00:26:53,169
it's a case of light. As long as no one's
complaining, then you are going to carry
271
00:26:53,169 --> 00:27:00,299
on using it. And I think that was also the
discourse with your research. There was
272
00:27:00,299 --> 00:27:02,709
also a lot that changed
their behaviors after.
273
00:27:02,709 --> 00:27:06,499
Chris: A lot of the developers sometimes
don't even realize necessarily what data
274
00:27:06,499 --> 00:27:12,009
they're up to sharing with people like
Facebook, with people like CleverTap. They
275
00:27:12,009 --> 00:27:16,649
just integrate the SDK and
hope for the best.
276
00:27:16,649 --> 00:27:22,249
Eva: We also got this interesting response
from AppsFlyer is that it's very
277
00:27:22,249 --> 00:27:26,899
hypocritical. Essentially, what they're
saying is like oh, like we specifically
278
00:27:26,899 --> 00:27:33,549
ask our customers or oh, yeah, do not
share health data with us specifically for
279
00:27:33,549 --> 00:27:37,679
the reason I mentioned earlier, which is
what? Because of GDPR, you're normally
280
00:27:37,679 --> 00:27:44,519
expected to take extra step when you
process sensitive health data. So their
281
00:27:44,519 --> 00:27:48,809
response is that they as their customer to
not share health data or sensitive
282
00:27:48,809 --> 00:27:54,900
personal data so they don't become liable
in terms of the law. So they were like,
283
00:27:54,900 --> 00:27:59,909
oh, we're sorry, like this is a breach of
contract. Now, the reason is very
284
00:27:59,909 --> 00:28:04,289
hypocritical is that obviously when you
have contracts with menstruation apps and
285
00:28:04,289 --> 00:28:07,860
actually Maya was not the only
menstruation apps that we're working with.
286
00:28:07,860 --> 00:28:12,230
I mean, you know, what can you generally
expect in terms of the kind of data you're
287
00:28:12,230 --> 00:28:19,139
gonna receive? So here's a conclusion for
us that research works. It's fun, it's
288
00:28:19,139 --> 00:28:26,979
easy to do. You know, Chris has not
published the environment. It doesn't
289
00:28:26,979 --> 00:28:32,539
actually - once the environment is sort of
set up it doesn't actually require
290
00:28:32,539 --> 00:28:36,820
technical background, as you saw from the
slides it's pretty straightforward to
291
00:28:36,820 --> 00:28:41,959
actually understand how the data is being
shared. So you should do it, too. But more
292
00:28:41,959 --> 00:28:46,989
broadly, we think it's really important to
do more research, not just at this stage
293
00:28:46,989 --> 00:28:54,269
of the process, but generally about the
security and the data and the data showing
294
00:28:54,269 --> 00:29:00,139
practices of apps, because, you know, it's
hard law and more and more people are
295
00:29:00,139 --> 00:29:05,679
using or interacting with technology and
using the Internet. So we need to do think
296
00:29:05,679 --> 00:29:10,510
much more carefully about the security
implication of the apps we use and
297
00:29:10,510 --> 00:29:15,639
obviously it works. Thank you.
298
00:29:15,639 --> 00:29:25,369
applause
299
00:29:25,369 --> 00:29:29,519
Herald: Thank you. So, yeah, please line
up in front of the microphones. We can
300
00:29:29,519 --> 00:29:33,869
start with microphone two.
Mic 2: Hi. Thank you. So you mentioned
301
00:29:33,869 --> 00:29:39,119
that now we can check whether our data is
being shared with third parties on the
302
00:29:39,119 --> 00:29:42,460
path between the user and the developer.
But we cannot know for all the other apps
303
00:29:42,460 --> 00:29:46,279
and for these, what if it's not being
shared later from the developer, from the
304
00:29:46,279 --> 00:29:51,859
company to other companies. Have you
conceptualize some ways of testing that?
305
00:29:51,859 --> 00:29:55,659
Is it possible?
Chris: Yes. So you could do it, data
306
00:29:55,659 --> 00:30:03,979
separate access request and the GDPR that
would... like the problem is it's quite
307
00:30:03,979 --> 00:30:11,299
hard to necessarily know. How the process
- how the system outside of the app to
308
00:30:11,299 --> 00:30:16,139
serve relationship is quite hard to know
the processes of that data and so it is
309
00:30:16,139 --> 00:30:20,309
quite opaque. They might apply a different
identifier too, they might do other
310
00:30:20,309 --> 00:30:23,859
manipulations to that data so trying to
track down and prove this bit of data
311
00:30:23,859 --> 00:30:28,700
belong to you. It's quite challenging.
Eva: This is something we're going to try.
312
00:30:28,700 --> 00:30:32,070
We're going to be doing in 2020, actually.
We're going to be doing data subject
313
00:30:32,070 --> 00:30:38,330
access request of those apps that we've
been looking up to see if we find anything
314
00:30:38,330 --> 00:30:43,549
both under GDPR but also under different
data protection laws in different
315
00:30:43,549 --> 00:30:49,980
countries. To see basically what we get,
how much we can obtain from that.
316
00:30:49,980 --> 00:30:54,960
Herald: So I'd go with the signal angle.
Signal: So what advice can you give us on
317
00:30:54,960 --> 00:31:00,330
how we can make people understand that
from a privacy perspective, it's better to
318
00:31:00,330 --> 00:31:05,280
use pen and paper instead of entering
sensitive data into any of these apps?
319
00:31:05,280 --> 00:31:10,440
Eva: I definitely wouldn't advise that. I
wouldn't advise pen and paper. I think for
320
00:31:10,440 --> 00:31:17,359
us like really the key... The work we are
doing is not actually targeting users.
321
00:31:17,359 --> 00:31:21,280
It's targeting companies. We think it's
companies that really need to do better.
322
00:31:21,280 --> 00:31:26,269
We're often ask about, you know, advice to
customers or advice to users and
323
00:31:26,269 --> 00:31:32,029
consumers. But what I think and what we've
been telling companies as well is that,
324
00:31:32,029 --> 00:31:36,190
you know, their users trust you and they
have the right to trust you. They also
325
00:31:36,190 --> 00:31:40,969
have the right to expect that you're
respecting the law. The European Union has
326
00:31:40,969 --> 00:31:47,429
a very ambitious legislation when it comes
to privacy with GDPR. And so the least
327
00:31:47,429 --> 00:31:55,950
they can expect is that you're respecting
the law. And so, no, I would ... and this
328
00:31:55,950 --> 00:31:59,539
is the thing, I think people have the
right to use those apps, they have the
329
00:31:59,539 --> 00:32:03,850
right to say, well, this is a useful
service for me. It's really companies that
330
00:32:03,850 --> 00:32:08,210
need you. They need to up their game. They
need to live up to the expectations of
331
00:32:08,210 --> 00:32:15,600
their consumers. Not the other way around.
Herald: Microphone 1.
332
00:32:15,600 --> 00:32:19,219
Mic 1: Hi. So from the talk, it seems and
I think that's what you get, you mostly
333
00:32:19,219 --> 00:32:23,320
focused on Android based apps. Can you
maybe comment on what the situation is
334
00:32:23,320 --> 00:32:27,219
with iOS? Is there any technical
difficulty or is it anything completely
335
00:32:27,219 --> 00:32:30,719
different with respect to these apps and
apps in general?
336
00:32:30,719 --> 00:32:33,669
Chris: There's not really a technical
difficulty like the setup a little bit
337
00:32:33,669 --> 00:32:38,799
different, but functionally you can look
at the same kind of data. The focus here,
338
00:32:38,799 --> 00:32:44,960
though, is also.. So it's two-fold in some
respects. Most of the places that these
339
00:32:44,960 --> 00:32:49,940
apps are used are heavily dominated
Android territories, places like India,
340
00:32:49,940 --> 00:32:55,529
the Philippines. iOS penetration there,
uh, Apple device penetration there is very
341
00:32:55,529 --> 00:33:01,979
low. There's no technical reason not to
look at Apple devices. But like in this
342
00:33:01,979 --> 00:33:06,779
particular context, it's not necessarily
hugely relevant. So does that answer your
343
00:33:06,779 --> 00:33:08,989
question?
Mic 1: And technically with youre set-up,
344
00:33:08,989 --> 00:33:12,060
you could also do the same
analysis with an iOS device?
345
00:33:12,060 --> 00:33:17,339
Chris: Yeah. As I said it's a little bit
of a change to how you... You have to
346
00:33:17,339 --> 00:33:22,489
register the device as an MDM dev.. like a
mobile profile device. Otherwise you can
347
00:33:22,489 --> 00:33:30,809
do the exact same level of interception.
Mic: Uh, hi. My question is actually
348
00:33:30,809 --> 00:33:33,210
related to the last question
is a little bit technical.
349
00:33:33,210 --> 00:33:35,619
Chris: Sure.
Mic: I'm also doing some research on apps
350
00:33:35,619 --> 00:33:39,539
and I've noticed with the newest versions
of Android that they're making more
351
00:33:39,539 --> 00:33:44,289
difficult to install custom certificates
to have this pass- through and check what
352
00:33:44,289 --> 00:33:49,070
the apps are actually communicating to
their home servers. Have you find a way to
353
00:33:49,070 --> 00:33:54,029
make this easier?
Chris: Yes. So we actually hit the same
354
00:33:54,029 --> 00:34:01,539
issue as you in some respects. So the
installing of custom certificates was not
355
00:34:01,539 --> 00:34:05,550
really an obstacle because you can add to
the user if it's a rich device, you can
356
00:34:05,550 --> 00:34:13,510
add them to the system store and they are
trusted by all the apps on the device. The
357
00:34:13,510 --> 00:34:19,330
problem we're now hitting is the Android 9
and 10 have TLS 1.3 and TLS 1.3
358
00:34:19,330 --> 00:34:24,340
to text as a man in the middle or at
least it tries to might terminate the
359
00:34:24,340 --> 00:34:28,760
connection. Uh, this is a bit of a
problem. So currently all our research is
360
00:34:28,760 --> 00:34:37,490
still running on Android 8.1 devices. This
isn't going to be sustainable long term.
361
00:34:37,490 --> 00:34:43,210
Herald: Um, 4.
Mic 4: Hey, thank you for the great talk.
362
00:34:43,210 --> 00:34:47,250
Your research is obviously targeted in a
constructive, critical way towards
363
00:34:47,250 --> 00:34:53,250
companies that are making apps surrounding
menstrual research. Did you learn anything
364
00:34:53,250 --> 00:34:57,210
from this context that you would want to
pass on to people who research this area
365
00:34:57,210 --> 00:35:03,360
more generally? I'm thinking, for example,
of Paramount Corp in the US, who've done
366
00:35:03,360 --> 00:35:07,700
micro dosing research on LSD and are
starting a breakout study on menstrual
367
00:35:07,700 --> 00:35:12,080
issues.
Eva: Well, I think this is why I was
368
00:35:12,080 --> 00:35:15,980
concluded on it. I think there is a
there's still a lot of research that needs
369
00:35:15,980 --> 00:35:21,090
to be done in terms of the sharing. And
obviously, I think anything that touches
370
00:35:21,090 --> 00:35:27,830
on people's health is a key priority
because it's something people relate very
371
00:35:27,830 --> 00:35:33,750
strongly to. The consequences, especially
in the US, for example, of sharing health
372
00:35:33,750 --> 00:35:38,700
data like this, of having - you know -
data, even like your blood pressure and so
373
00:35:38,700 --> 00:35:42,760
on. Like what are the consequences if
those informations are gonna be shared,
374
00:35:42,760 --> 00:35:46,590
for example, with like insurance companies
and so on. This is what I think is
375
00:35:46,590 --> 00:35:52,470
absolutely essential to have a better
understanding of the data collection and
376
00:35:52,470 --> 00:35:57,570
sharing practices of the services. The
moments when you have health data that's
377
00:35:57,570 --> 00:35:59,720
being involved.
Chris: .. yeah because we often focus
378
00:35:59,720 --> 00:36:06,000
about this being an advertising issue. But
in that sense as well, insurance and even
379
00:36:06,000 --> 00:36:09,950
credit referencing of all sorts of other
things become problematic, especially when
380
00:36:09,950 --> 00:36:14,750
it comes to pregnancy related.
Eva: Yeah, even employers could be after
381
00:36:14,750 --> 00:36:18,510
this kind of information.
Herald: Six.
382
00:36:18,510 --> 00:36:24,450
Mic 6: Hi. I'm wondering if there is an
easy way or a tool which we can use to
383
00:36:24,450 --> 00:36:32,580
detect if apps are using our data or are
reporting them to Facebook or whatever. Or
384
00:36:32,580 --> 00:36:39,830
if we can even use those apps but block
this data from being reported to Facebook.
385
00:36:39,830 --> 00:36:45,650
Chris: Yes. So, you can file all of faith
graft on Facebook.com and stop sending
386
00:36:45,650 --> 00:36:51,770
data to that. There's a few issues here.
Firstly, it doesn't really like.. This
387
00:36:51,770 --> 00:36:57,940
audience can do this. Most users don't
have the technical nuance to know what
388
00:36:57,940 --> 00:37:02,390
needs to be blocked, what doesn't
necessarily need to be blocked. It's on
389
00:37:02,390 --> 00:37:07,300
the companies to be careful with users
data. It's not up to the users to try and
390
00:37:07,300 --> 00:37:13,500
defend against.. It shouldn't be on the
use to defend against malicious data
391
00:37:13,500 --> 00:37:17,490
sharing or...
Eva: You know... also one interesting
392
00:37:17,490 --> 00:37:21,930
thing is that if Facebook had put this in
place of light where you could opt out
393
00:37:21,930 --> 00:37:25,470
from data sharing with the apps you're
using, but that only works if you're a
394
00:37:25,470 --> 00:37:29,840
Facebook user. And as I said, like this
data has been collected whether you are a
395
00:37:29,840 --> 00:37:34,230
user or not. So in a sense, for people who
aren't Facebook users, they couldn't opt
396
00:37:34,230 --> 00:37:37,720
out of this.
Chris: The Facebook SDK the developers are
397
00:37:37,720 --> 00:37:46,690
integrating the default state for sharing
of data is on, the flag is true. And
398
00:37:46,690 --> 00:37:56,480
although they have a long legal text on
the help pages for the developer tools,
399
00:37:56,480 --> 00:38:00,540
it's like unless you have a decent
understanding of local data protection
400
00:38:00,540 --> 00:38:04,890
practice or local protection law. It's
like it's not it's not something that most
401
00:38:04,890 --> 00:38:08,840
developers are gonna be able to understand
why this flag should be something
402
00:38:08,840 --> 00:38:16,320
different from on. You know there's loads
of flags in the SDK, which flags should be
403
00:38:16,320 --> 00:38:21,930
on and off, depending on which
jurisdiction you're selling to, or users
404
00:38:21,930 --> 00:38:27,240
going to be in.
Herald: Signal Angel, again.
405
00:38:27,240 --> 00:38:31,530
Singal: Do you know any good apps which
don't share data and are privacy friendly?
406
00:38:31,530 --> 00:38:37,120
Probably even one that is open source.
Eva: So, I mean, as in the problem which
407
00:38:37,120 --> 00:38:43,260
is why I wouldn't want to vouch for any
app is that even in the apps that, you
408
00:38:43,260 --> 00:38:48,500
know, where in terms of like the traffic
analysis we've done, we didn't see any any
409
00:38:48,500 --> 00:38:53,160
data sharing. As Chris was explaining, the
data can be shared at a later stage and
410
00:38:53,160 --> 00:39:00,720
it'd be impossible for us to really find
out. So.. no, I can't be vouching for any
411
00:39:00,720 --> 00:39:04,650
app. I don't know if you can...
Chris: The problem is we can't ever look
412
00:39:04,650 --> 00:39:10,810
like one specific moment in time to see
whether data is being shared, unlike what
413
00:39:10,810 --> 00:39:17,690
was good today might bad tomorrow. What
was bad yesterday might be good today.
414
00:39:17,690 --> 00:39:25,230
Although, I was in Argentina recently
speaking to a group of feminist activists,
415
00:39:25,230 --> 00:39:31,860
and they have been developing a
menstruation tracking app. And the app was
416
00:39:31,860 --> 00:39:37,800
removed from the Google Play store because
it had illustrations that were deemed
417
00:39:37,800 --> 00:39:42,500
pornographic. But they were illustrations
around medical related stuff. So even
418
00:39:42,500 --> 00:39:45,170
people, who were trying to do the right
thing, going through the open source
419
00:39:45,170 --> 00:39:49,720
channels are still fighting a completely
different issue when it comes to
420
00:39:49,720 --> 00:39:52,940
menstruation tracking.
It's a very fine line.
421
00:39:52,940 --> 00:39:57,330
Herald: Um, three.
inaudible
422
00:39:57,330 --> 00:40:01,770
Eva: Sorry, can't hear -the Mic's not
working.
423
00:40:01,770 --> 00:40:04,790
Herald: Microphone three.
Mic 3: Test.
424
00:40:04,790 --> 00:40:09,850
Eva: Yeah, it's great - perfect.
Mic 3: I was wondering if the graph API
425
00:40:09,850 --> 00:40:16,560
endpoint was actually in place to trick
menstruation data or is it more like a
426
00:40:16,560 --> 00:40:22,970
general purpose advertisement
tracking thing or. Yeah.
427
00:40:22,970 --> 00:40:29,360
Chris: So my understanding is that there's
two broad kinds of data that Facebook gets
428
00:40:29,360 --> 00:40:35,970
as automated app events that Facebook were
aware of. So app open, app close, app
429
00:40:35,970 --> 00:40:41,760
install, relinking. Relinking is quite an
important one for Facebook. That way they
430
00:40:41,760 --> 00:40:44,940
check to see whether you already have a
Facebook account logged in to log the app
431
00:40:44,940 --> 00:40:49,950
to your Facebook account when standing.
There's also a load of custom events that
432
00:40:49,950 --> 00:40:55,400
the app developers can put in. There is
then collated back to a data set - I would
433
00:40:55,400 --> 00:41:01,520
imagine on the other side. So when it
comes to things like whether it's nausea
434
00:41:01,520 --> 00:41:06,390
or some of the other health issues, it is
actually being cross-referenced by the
435
00:41:06,390 --> 00:41:11,820
developer. Does that answer your question?
Mic 3: Yes, thank you.
436
00:41:11,820 --> 00:41:16,320
Herald: Five, microphone five.
Mic 5: Can you repeat what you said in the
437
00:41:16,320 --> 00:41:23,290
beginning about the menstruation apps used
in Europe, especially Clue and the Period
438
00:41:23,290 --> 00:41:29,860
Tracker? Yeah. So those are the most
popular apps actually across the world,
439
00:41:29,860 --> 00:41:35,100
not just in Europe and the US. A lot of
them in terms of like the traffic analysis
440
00:41:35,100 --> 00:41:40,980
stage, a lot of them have not clean up
their app. So we can't see any any data
441
00:41:40,980 --> 00:41:46,090
sharing happening at that stage. But as I
said, I can't be vouching for them and
442
00:41:46,090 --> 00:41:49,680
saying, oh, yeah, those are safe and fine
to use because we don't know what's
443
00:41:49,680 --> 00:41:54,310
actually happening to the data once it's
been collected by the app. All we can say
444
00:41:54,310 --> 00:42:01,870
is that as far as the research we've done
goes, we didn't see any data being shed
445
00:42:01,870 --> 00:42:06,750
Chris: Those apps you mentioned have been
investigated by The Wall Street Journal
446
00:42:06,750 --> 00:42:11,790
and The New York Times relatively
recently. So they've been.. had quite like
447
00:42:11,790 --> 00:42:15,720
a spotlight on them. So they've had to
really up their game and a lot of ways
448
00:42:15,720 --> 00:42:20,590
which we would like everyone to do. But as
Eva says, we don't know what else they
449
00:42:20,590 --> 00:42:24,740
might be doing with that data on their
side, not necessarily between the phone
450
00:42:24,740 --> 00:42:29,150
and the server but from their server to
another server.
451
00:42:29,150 --> 00:42:32,510
Herald: Microphone one.
Mic 1: Hi. Thank you for the insightful
452
00:42:32,510 --> 00:42:37,620
talk. I have a question that goes in a
similar direction. Do you know whether or
453
00:42:37,620 --> 00:42:44,080
not these apps, even if they adhere to
GDPR rules collect the data to then at a
454
00:42:44,080 --> 00:42:48,850
later point at least sell it to the
highest bidder? Because a lot of them are
455
00:42:48,850 --> 00:42:53,160
free to use. And I wonder what is their
main goal besides that?
456
00:42:53,160 --> 00:42:58,440
Eva: I mean, the advertisement his how
they make profit. And so, I mean, the
457
00:42:58,440 --> 00:43:04,450
whole question about them trying to know
if you're pregnant or not is that this
458
00:43:04,450 --> 00:43:11,540
information can eventually be - you know -
be monetized through, you know, through
459
00:43:11,540 --> 00:43:17,070
how they target the advertisement at you.
Actually when you're using those apps, you
460
00:43:17,070 --> 00:43:20,340
can see in some of the slides, like you're
constantly like being flushed with like
461
00:43:20,340 --> 00:43:25,630
all sorts of advertisement on the app, you
know, whether they are selling it
462
00:43:25,630 --> 00:43:31,470
externally or not - I can't tell. But what
I can tell is, yeah, your business model
463
00:43:31,470 --> 00:43:34,960
is advertisement and so they are deriving
profit from the data they collect.
464
00:43:34,960 --> 00:43:40,410
Absolutely.
Herald: Again, on microphone one.
465
00:43:40,410 --> 00:43:44,600
Mic 1: Thank you. I was wondering if there
was more of a big data kind of aspect to
466
00:43:44,600 --> 00:43:50,080
it as well, because these are really
interesting medical information on women’s
467
00:43:50,080 --> 00:43:54,560
cycles in general.
Eva: Yeah, and the answer is, like, I call
468
00:43:54,560 --> 00:43:58,030
it—this is a bit of a black box and
especially in the way, for example, that
469
00:43:58,030 --> 00:44:03,100
Facebook is using this data like we don't
know. We can assume that this is like part
470
00:44:03,100 --> 00:44:07,280
of the … we could assume this is part of
the profiling that Facebook does of both
471
00:44:07,280 --> 00:44:13,400
their users and their non-users. But the
way the way this data is actually
472
00:44:13,400 --> 00:44:19,510
processed also by those apps through data
brokers and so on, it’s a bit of a black
473
00:44:19,510 --> 00:44:27,530
box.
Herald: Microphone 1.
474
00:44:27,530 --> 00:44:32,030
Mic 1: Yeah. Thank you a lot for your talk
and I have two completely different
475
00:44:32,030 --> 00:44:37,630
questions. The first one is: you've been
focusing a lot on advertising and how this
476
00:44:37,630 --> 00:44:44,940
data is used to sell to advertisers. But I
mean, like you aim to be pregnant or not.
477
00:44:44,940 --> 00:44:48,810
It's like it has to be the best kept
secret, at least in Switzerland for any
478
00:44:48,810 --> 00:44:54,430
female person, because like if you also
want to get employed, your employer must
479
00:44:54,430 --> 00:44:59,740
not know whether or not you want to get
pregnant. And so I would like to ask,
480
00:44:59,740 --> 00:45:06,230
like, how likely is it that this kind of
data is also potentially sold to employers
481
00:45:06,230 --> 00:45:12,000
who may want to poke into your health and
reproductive situation? And then my other
482
00:45:12,000 --> 00:45:17,290
question is entirely different, because we
also know that female health is one of the
483
00:45:17,290 --> 00:45:22,220
least researched topics around, and that's
actually a huge problem. Like so little is
484
00:45:22,220 --> 00:45:27,510
actually known about female health and the
kind of data that these apps collect is
485
00:45:27,510 --> 00:45:34,310
actually a gold mine to advance research
on health issues that are specific for
486
00:45:34,310 --> 00:45:38,920
certain bodies like female bodies. And so
I would also like to know like how would
487
00:45:38,920 --> 00:45:43,860
it be possible to still gather this kind
of data and still to collect it, but use
488
00:45:43,860 --> 00:45:48,490
it for like a beneficial purpose, like it
to improve knowledge on these issues?
489
00:45:48,490 --> 00:45:53,690
Eva: Sure. So to answer your first
question, the answer will be similar to
490
00:45:53,690 --> 00:45:58,300
the previous answer I gave, which is, you
know, it's black box problem. It's like
491
00:45:58,300 --> 00:46:02,410
it's very difficult to know exactly, you
know, what's actually happening to this
492
00:46:02,410 --> 00:46:08,570
data. Obviously, GDPR is there to prevent
something from happening. But as we've
493
00:46:08,570 --> 00:46:17,890
seen from these apps, like they were, you
know, towing a very blurry line. And so
494
00:46:17,890 --> 00:46:22,360
the risk, obviously, of … this is
something that can’t be relia…. I can't be
495
00:46:22,360 --> 00:46:26,290
saying, oh, this is happening because I
have no evidence that this is happening.
496
00:46:26,290 --> 00:46:31,760
But obviously, the risk of multiple, the
risk of like employers, as you say, the
497
00:46:31,760 --> 00:46:36,490
insurance companies that could get it,
that political parties could get it and
498
00:46:36,490 --> 00:46:40,960
target their messages based on information
they have about your mood, about, you
499
00:46:40,960 --> 00:46:45,260
know, even the fact that you're trying to
start a family. So, yeah, there is a very
500
00:46:45,260 --> 00:46:50,240
broad range of risk. The advertisement we
know for sure is happening because this is
501
00:46:50,240 --> 00:46:55,850
like the basis of their business model.
The risk, the range of risk is very, very
502
00:46:55,850 --> 00:46:59,940
broad.
Chris: To just expand on that: Again, as
503
00:46:59,940 --> 00:47:05,430
Eva said, we can't point out a specific
example of any of this. But if you look at
504
00:47:05,430 --> 00:47:10,260
some of the other data brokers, her
experience as a data broker, they collect.
505
00:47:10,260 --> 00:47:16,350
They have a statutory response. In the UK
is a statutory job of being a credit
506
00:47:16,350 --> 00:47:23,520
reference agency, but they also run what
is believed to be armed data enrichment.
507
00:47:23,520 --> 00:47:29,200
One of the things her employers could do
is by experience data to when hiring
508
00:47:29,200 --> 00:47:35,690
staff. Like I can't say that if this data
ever ends up there. But, you know, as they
509
00:47:35,690 --> 00:47:41,120
all collect, there is people collecting
data and using it for some level of
510
00:47:41,120 --> 00:47:45,450
auditing.
Eva: And to transfer your second question.
511
00:47:45,450 --> 00:47:49,810
I think this is a very important problem
you point out is the question of data
512
00:47:49,810 --> 00:47:56,230
inequality and whose data gets collected
for what purpose. There is I do quite a
513
00:47:56,230 --> 00:48:01,100
lot of work on delivery of state services.
For example, when there are populations
514
00:48:01,100 --> 00:48:05,940
that are isolated, not using technology
and so on. You might just be missing out
515
00:48:05,940 --> 00:48:12,450
on people, for example, who should be in
need of health care or state
516
00:48:12,450 --> 00:48:18,120
support and so on. Just because you like
data about about them. And so, female
517
00:48:18,120 --> 00:48:24,260
health is obviously a very key issue. We
just, we literally lack sufficient health
518
00:48:24,260 --> 00:48:30,520
data about about woman on women's health
specifically. Now, in terms of how data is
519
00:48:30,520 --> 00:48:35,550
processed in medical research, then
there's actually protocol a in place
520
00:48:35,550 --> 00:48:40,470
normally to ensure, to ensure consent, to
ensure explicit consent, to ensure that
521
00:48:40,470 --> 00:48:47,210
the data is properly collected. And so I
think I wouldn't want you means that you,
522
00:48:47,210 --> 00:48:52,010
just because the way does apps. I've been
collecting data. If you know, if there's
523
00:48:52,010 --> 00:48:56,980
one thing to take out of this of this dog
is that, it's been nothing short of
524
00:48:56,980 --> 00:49:02,370
horrifying, really. That data is being
collected before and shared before you
525
00:49:02,370 --> 00:49:06,320
even get your consent to anything. I
wouldn't trust any of these private
526
00:49:06,320 --> 00:49:16,100
companies to really be the ones carrying
well taking part in in in medical research
527
00:49:16,100 --> 00:49:22,750
or on those. So I agree with you that
there is a need for better and more data
528
00:49:22,750 --> 00:49:28,860
on women's health. But I don't think. I
don't think any of these actors so far
529
00:49:28,860 --> 00:49:33,900
have proved to be trusted on this issue.
Herald: Microphone 2.
530
00:49:33,900 --> 00:49:37,010
Mic 2: Yeah. Thank you for this great
talk. Um. Short question. What do you
531
00:49:37,010 --> 00:49:42,280
think is the rationale of, uh, this
menstruation apps to integrate the
532
00:49:42,280 --> 00:49:46,470
Facebook SDK if they don't get money from
Facebook? OK, uh. Being able to
533
00:49:46,470 --> 00:49:54,160
commercialize and this data.
Chris: Good question. Um, it could be a
534
00:49:54,160 --> 00:50:00,910
mix of things. So sometimes it's literally
the the the developers literally just have
535
00:50:00,910 --> 00:50:05,110
this as part of their tool chain their
workflow when they're developing apps. I
536
00:50:05,110 --> 00:50:08,280
don't necessarily know about these two
peer trackers where other apps are
537
00:50:08,280 --> 00:50:14,080
developed by these companies. But, uh, in
our in our previous work, which I
538
00:50:14,080 --> 00:50:18,630
presented last year, we find that some
companies just produce a load of apps and
539
00:50:18,630 --> 00:50:22,550
they just use the same tool chain every
time. That includes by default. The
540
00:50:22,550 --> 00:50:29,550
Facebook SDK is part of a tool chain. Uh,
some of them are like included for what I
541
00:50:29,550 --> 00:50:34,270
would regard as genuine purposes. Like
they want their users to share something
542
00:50:34,270 --> 00:50:37,780
or they want their users to be able to log
in with Facebook and those cases, they
543
00:50:37,780 --> 00:50:42,210
included, for what would be regarded a
legitimate reason below them. Just don't
544
00:50:42,210 --> 00:50:47,760
ever actually they haven't integrated it
does appearance and they don't ever really
545
00:50:47,760 --> 00:50:52,070
use anything of it other than that. Mean
that there are a lot of developers simply
546
00:50:52,070 --> 00:51:02,460
quite unaware of the default state is
verbose and how it sends data to Facebook.
547
00:51:02,460 --> 00:51:06,220
Herald: Yeah. Maybe we be close with one
last question from me. Um, it doesn't it's
548
00:51:06,220 --> 00:51:12,120
usually a bunch of ups. How many of them
do certificate pinning? Uh, we see this as a
549
00:51:12,120 --> 00:51:16,920
widespread policy or...
Chris: Are they just not really. Yet. I
550
00:51:16,920 --> 00:51:21,930
would have a problem doing an analysis
where stuff could've been pinned. You say
551
00:51:21,930 --> 00:51:28,710
TLS 1.3 is proven to be
more problematic than pinning. Uh, yeah.
552
00:51:28,710 --> 00:51:32,410
Herald: Ok, well, thank you so much. And,
uh. Yeah.
553
00:51:32,410 --> 00:51:40,520
Applause
554
00:51:40,520 --> 00:51:44,200
36C3 Postroll music
555
00:51:44,200 --> 00:52:08,000
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!