1 00:00:00,000 --> 00:00:19,770 *36C3 preroll music* 2 00:00:19,770 --> 00:00:25,070 Herald: It is my honor to introduce you today to Eva and Chris. Eva, she is a 3 00:00:25,070 --> 00:00:29,440 senior researcher at Privacy International. She works on gender, 4 00:00:29,440 --> 00:00:34,680 economical and social rights and how they interplay with the right to privacy, 5 00:00:34,680 --> 00:00:40,430 especially in marginalized communities. Chris, she is the privacy lead at 6 00:00:40,430 --> 00:00:46,370 technology lead at Privacy International. And his day-to-day job is to expose 7 00:00:46,370 --> 00:00:51,290 company and how they profit from individuals and specifically today they 8 00:00:51,290 --> 00:00:59,230 will tell us how these companies can even profit from your menstruations. Thank you. 9 00:00:59,230 --> 00:01:00,470 Chris: Thank you. 10 00:01:00,470 --> 00:01:05,200 *applause* 11 00:01:05,200 --> 00:01:13,860 C: Hi, everyone. It's nice to be back at CCC. I was at CCC last year. If you heard 12 00:01:13,860 --> 00:01:18,580 my talk from last year, this is going to be like a slightly vague part 2. And if 13 00:01:18,580 --> 00:01:21,680 you're not, I'm just gonna give you a very brief recap because there is a 14 00:01:21,680 --> 00:01:28,380 relationship between the two. So, I will give you a little bit of background about 15 00:01:28,380 --> 00:01:32,540 how this project started. Then we get to a little bit about menstruation apps and 16 00:01:32,540 --> 00:01:38,040 what a menstruation app actually is. Let me talk a little bit through some of the 17 00:01:38,040 --> 00:01:42,250 data that these these apps are collecting and talk how we did our research, our 18 00:01:42,250 --> 00:01:48,390 research methodology and then what our findings are and our conclusions. So last 19 00:01:48,390 --> 00:01:54,640 year, I and a colleague did a project around how Facebook collects data about 20 00:01:54,640 --> 00:02:03,670 users on Android devices using the Android Facebook SDK. And this is whether you have 21 00:02:03,670 --> 00:02:09,540 a Facebook account or not. And for that project, we really looked when you first 22 00:02:09,540 --> 00:02:13,740 opened apps and didn't really have to do very much interaction with them 23 00:02:13,740 --> 00:02:23,560 particularily, about the automatic sending of data in a post GDPR context. And so we 24 00:02:23,560 --> 00:02:30,170 looked a load of apps for that project, including a couple of period trackers. And 25 00:02:30,170 --> 00:02:36,820 that kind of led onto this project because we were seeing loads of apps, across 26 00:02:36,820 --> 00:02:42,820 different areas of categories. So we thought we'd like hone in a little bit on 27 00:02:42,820 --> 00:02:48,570 period trackers to see what kind of data, because they're by far more sensitive than 28 00:02:48,570 --> 00:02:52,600 many of the other apps on there, like you might consider your music history to be 29 00:02:52,600 --> 00:03:03,690 very sensitive.... *laughs* So. Yeah. So, just a quick update on the previous work 30 00:03:03,690 --> 00:03:11,850 from last year. We actually followed up with all of the companies from that, from 31 00:03:11,850 --> 00:03:17,450 that report. And by the end of like going through multiple rounds of response, over 32 00:03:17,450 --> 00:03:22,410 60 percent of them a changed practices either by disabling the Facebook SDK in 33 00:03:22,410 --> 00:03:30,699 their app or by disabling it until you gave consent or removing it entirely. So I 34 00:03:30,699 --> 00:03:35,690 pass over to Eva Blum-Dumontet. She's going to talk you through menstruation 35 00:03:35,690 --> 00:03:38,850 apps. Eva: So I just want to make sure that 36 00:03:38,850 --> 00:03:42,310 we're all on the same page. Although if you didn't know what a menstruation app is 37 00:03:42,310 --> 00:03:47,790 and you still bothered coming to this talk, I'm extremely grateful. So how many 38 00:03:47,790 --> 00:03:53,540 of you are are using a menstruation app or have a partner, who's been using a 39 00:03:53,540 --> 00:03:58,330 menstruation app? Oh my God. Oh, okay. I didn't expect that. I thought it was going 40 00:03:58,330 --> 00:04:03,440 to be much less. Okay. Well, for the few of you who still might not know what a 41 00:04:03,440 --> 00:04:07,670 menstruation app is, I'm still going to go quickly through what a menstruation app 42 00:04:07,670 --> 00:04:15,520 is. It's the idea of a menstruation app. We also call them period tracker. It's to 43 00:04:15,520 --> 00:04:21,500 have an app that tracks your menstruation cycle. So that they tell you what days 44 00:04:21,500 --> 00:04:26,720 you're most fertile. And you can obviously, if you're using them to try and 45 00:04:26,720 --> 00:04:32,840 get pregnant or if you have, for example, a painful period, you can sort of plan 46 00:04:32,840 --> 00:04:39,660 accordingly. So that's essentially the main 2 reasons users would be would be 47 00:04:39,660 --> 00:04:48,470 looking into using menstruation apps: pregnancy, period tracking. Now, how did 48 00:04:48,470 --> 00:04:53,880 this research starts? As Chris said, obviously there was whole research that 49 00:04:53,880 --> 00:05:01,270 had been done by Privacy International last year on various apps. And as Chris 50 00:05:01,270 --> 00:05:08,660 also already said what I was particularly interested in was the kind of data that 51 00:05:08,660 --> 00:05:13,220 menstruation apps are collecting, because as we'll explain in this talk, it's really 52 00:05:13,220 --> 00:05:21,800 actually not just limited to menstruation cycle. And so I was interested in seeing 53 00:05:21,800 --> 00:05:26,820 what actually happens to the data when it is being shared. So I should say we're 54 00:05:26,820 --> 00:05:31,530 really standing on the shoulders of giants when it comes to this research. There was 55 00:05:31,530 --> 00:05:35,660 previously existing research on menstruation apps that was done by a 56 00:05:35,660 --> 00:05:40,930 partner organization, Coding Rights in Brazil. So they had done research on the 57 00:05:40,930 --> 00:05:46,690 kind of data that was collected by menstruation apps and the granularity of 58 00:05:46,690 --> 00:05:52,080 this data. Yet, a very interesting thing that we're looking at was the gender 59 00:05:52,080 --> 00:05:59,030 normativity of those apps. Chris and I have been looking at, you know, dozens of 60 00:05:59,030 --> 00:06:03,280 these apps and, you know, they have various data showing practices, as we'll 61 00:06:03,280 --> 00:06:07,870 explain in the stock. But they have one thing that all of them have in common is 62 00:06:07,870 --> 00:06:16,150 that they are all pink. The other thing is that they talk to their users as woman. 63 00:06:16,150 --> 00:06:20,550 They, you know, don't want sort of even compute the fact that maybe not all their 64 00:06:20,550 --> 00:06:30,280 users are woman. So there is a very sort of like narrow perspective of pregnancy 65 00:06:30,280 --> 00:06:41,020 and females' bodies and how does female sexuality function. Now, as I was saying, 66 00:06:41,020 --> 00:06:45,060 when you're using a menstruation app, it's not just your menstruation cycle that 67 00:06:45,060 --> 00:06:55,330 you're entering. So this is some of the questions that menstruation apps ask: So 68 00:06:55,330 --> 00:07:01,090 sex; There is a lot about sex that they want to know? How often, is it protected 69 00:07:01,090 --> 00:07:08,420 or unprotected? Are you smoking? Are you drinking? Are you partying? How often? We 70 00:07:08,420 --> 00:07:16,880 even had one app that was asking about masturbation, your sleeping pattern, your 71 00:07:16,880 --> 00:07:22,930 coffee drinking habits. One thing that's really interesting is that - and we'll 72 00:07:22,930 --> 00:07:28,910 talk a little bit more again about this later - but there's very strong data 73 00:07:28,910 --> 00:07:34,071 protection laws in Europe called GDPR as most of you will know. And it says that 74 00:07:34,071 --> 00:07:38,419 only data that's strictly necessary should be collected. So I'm still unclear what 75 00:07:38,419 --> 00:07:46,980 masturbation has to do with tracking your menstruation cycle, but... Other thing 76 00:07:46,980 --> 00:07:56,480 that was collected is about your health and the reason health is so important is 77 00:07:56,480 --> 00:07:59,980 also related to data protection laws because when you're collecting health 78 00:07:59,980 --> 00:08:04,730 data, you need to show that you're taking an extra step to collect this data because 79 00:08:04,730 --> 00:08:11,460 it's considered sensitive personal data. So extra steps in terms of getting 80 00:08:11,460 --> 00:08:17,170 explicit consent from the users but also through steps on behalf of the data 81 00:08:17,170 --> 00:08:22,060 controller, in terms of showing that they're making extra steps for the 82 00:08:22,060 --> 00:08:28,790 security of this data. So this is the type of question that was asked. There is so 83 00:08:28,790 --> 00:08:34,560 much asked about vaginal discharge and what kind of vaginal discharge you get 84 00:08:34,560 --> 00:08:39,879 with all sorts of weird adjectives for this: "Tiki, creamy". So yeah, they 85 00:08:39,879 --> 00:08:49,070 clearly thought a lot about this. And it is a lot about mood as well. Even, yeah, I 86 00:08:49,070 --> 00:08:56,190 didn't know 'romantic' was a mood but apparently it is. And what's interesting 87 00:08:56,190 --> 00:09:01,900 obviously about mood in the context where, you know, we've seen stories like 88 00:09:01,900 --> 00:09:07,000 Cambridge Analytica, for example. So we know how much companies, we know how much 89 00:09:07,000 --> 00:09:11,940 political parties are trying to understand how we think, how we feel. So that's 90 00:09:11,940 --> 00:09:17,490 actually quite significant that you have an app that's collecting information about 91 00:09:17,490 --> 00:09:24,110 how we feel on a daily basis. And obviously, like when people enter all 92 00:09:24,110 --> 00:09:29,200 these data, their expectation at that point is that the data stays between 93 00:09:29,200 --> 00:09:35,481 between them and the app. And actually, there is very little in the privacy policy 94 00:09:35,481 --> 00:09:41,930 that could that would normally suggest that it was. So this is the moment where I 95 00:09:41,930 --> 00:09:45,710 actually should say we're not making this up; like literally everything in this list 96 00:09:45,710 --> 00:09:51,750 of questions were things, literal terms, that they were asking. So we set out to 97 00:09:51,750 --> 00:09:55,400 look at the most popular menstruation apps. Do you want to carry on? 98 00:09:55,400 --> 00:09:59,840 Chris: Yeah. I forgot to introduce myself as well. Really? That's a terrible 99 00:09:59,840 --> 00:10:02,440 speaking habit. Eva: Christopher Weatherhead.. 100 00:10:02,440 --> 00:10:08,740 Chris: .. Privacy International's technology lead. So yeah.. What I said 101 00:10:08,740 --> 00:10:11,580 about our previous research, we have actually looked at most of the very 102 00:10:11,580 --> 00:10:17,990 popular menstruation apps, the ones that have hundreds of thousands of downloads. 103 00:10:17,990 --> 00:10:21,910 And these apps - like as we're saying that this kind of work has been done before. A 104 00:10:21,910 --> 00:10:25,560 lot of these apps that come into quite a lot of criticism, I'd spare you the free 105 00:10:25,560 --> 00:10:30,460 advertising about which ones particularly but most of them don't do anything 106 00:10:30,460 --> 00:10:36,500 particularly outrageous, at least between the app and the developers' servers. A lot 107 00:10:36,500 --> 00:10:39,470 of them don't share with third parties at that stage. So you can't look between the 108 00:10:39,470 --> 00:10:43,850 app and the server to see what they're sharing. They might be sharing data from 109 00:10:43,850 --> 00:10:48,270 the developers' server to Facebook or to other places but at least you can't see 110 00:10:48,270 --> 00:10:55,600 in-between. But we're an international organization and we work around the globe. 111 00:10:55,600 --> 00:11:01,260 And most of the apps that get the most downloads are particularly Western, U.S., 112 00:11:01,260 --> 00:11:07,700 European but they're not the most popular apps necessarily in a context like India 113 00:11:07,700 --> 00:11:12,810 and the Philippines and Latin America. So we thought we'd have a look and see those 114 00:11:12,810 --> 00:11:17,330 Apps. They're all available in Europe but they're not necessarily the most popular 115 00:11:17,330 --> 00:11:23,330 in Europe. And this is where things started getting interesting. So what 116 00:11:23,330 --> 00:11:29,520 exactly did we do? Well, we started off by triaging through a large number of period 117 00:11:29,520 --> 00:11:36,270 trackers. And as Eva said earlier: every logo must be pink. And we were just kind 118 00:11:36,270 --> 00:11:40,420 of looking through to see how many trackers - this is using extras (?) 119 00:11:40,420 --> 00:11:46,600 privacy. We have our own instance in PI and we just looked through to see how many 120 00:11:46,600 --> 00:11:50,780 trackers and who the trackers were. So, for example, this is Maya, which is 121 00:11:50,780 --> 00:11:54,519 exceptionally popular in India, predominantly - it's made by an Indian 122 00:11:54,519 --> 00:12:01,050 company. And as you can see, it's got a large number of trackers in it: a 123 00:12:01,050 --> 00:12:09,230 CleverTap, Facebook, Flurry, Google and Inmobi? So we went through this process and 124 00:12:09,230 --> 00:12:14,780 this allowed us to cut down... There's hundreds of period trackers. Not all of 125 00:12:14,780 --> 00:12:18,769 them are necessarily bad but it's nice to try to see which ones had the most 126 00:12:18,769 --> 00:12:24,500 trackers, where they were used and try and just triage them a little bit. From this, 127 00:12:24,500 --> 00:12:33,190 we then run through PI's interception environment, which is a VM that I've made. 128 00:12:33,190 --> 00:12:37,410 I actually made it last year for the talk I gave last year. And I said I'd release 129 00:12:37,410 --> 00:12:40,620 it after the talk and took me like three months to release it but it's now 130 00:12:40,620 --> 00:12:45,420 available. You can go onto PI's website and download it. It's a man in the middle 131 00:12:45,420 --> 00:12:52,860 proxy with a few settings - mainly for looking at iOS and Android apps to do data 132 00:12:52,860 --> 00:12:59,210 interception between them. And so we run through that and we got to have a look at 133 00:12:59,210 --> 00:13:05,030 all the data that's being sent to and from both the app developer and third parties. 134 00:13:05,030 --> 00:13:10,810 And here's what we found. Eva: So out of the six apps we looked out, 135 00:13:10,810 --> 00:13:17,920 five shared data with Facebook. Out of those five, three pinged Facebook to let 136 00:13:17,920 --> 00:13:23,990 them know when their users were downloading the app and opening the app. 137 00:13:23,990 --> 00:13:29,759 And that's already quite significant information and we'll get to that later. 138 00:13:29,759 --> 00:13:37,060 Now, what's actually interesting and the focus of a report was on the two apps that 139 00:13:37,060 --> 00:13:42,040 shared every single piece of information that their users entered with Facebook and 140 00:13:42,040 --> 00:13:49,820 other third parties. So just to brief you: the two apps we focused on are both called 141 00:13:49,820 --> 00:13:55,330 Maya. So that's all very helpful. One is spelled Maya: M-a-y-a. The other ones 142 00:13:55,330 --> 00:14:01,100 spellt Mia M-I-A. So, yeah, just bear with me because this is actually quite 143 00:14:01,100 --> 00:14:09,800 confusing. But so initially we'll focus on Maya, which is - as Chris mentioned - an 144 00:14:09,800 --> 00:14:16,190 app that's based in India. There have a user base of several millions. Their are 145 00:14:16,190 --> 00:14:27,080 based in India. Userbase, mostly in India, also quite popular in the Philippines. So 146 00:14:27,080 --> 00:14:30,470 what's interesting with Maya is that they start sharing data with Facebook before 147 00:14:30,470 --> 00:14:34,800 you even get you agree to their privacy policy. So I should say already about the 148 00:14:34,800 --> 00:14:39,320 privacy policy of a lot of those apps that we looked at is that they are literally 149 00:14:39,320 --> 00:14:48,380 the definition of small prints. It's very hard to read. It's legalese language. It 150 00:14:48,380 --> 00:14:53,620 really puts into perspective the whole question of consent in GDPR because GDPR 151 00:14:53,620 --> 00:14:58,209 says like the consents must be informed. So you must be able to understand what 152 00:14:58,209 --> 00:15:03,950 you're consenting to. When you're reading this extremely long, extremely opaque 153 00:15:03,950 --> 00:15:09,069 privacy policies of a lot - literally all the menstruation apps we've looked at, 154 00:15:09,069 --> 00:15:14,310 excluding one that didn't even bother putting their privacy policy, actually. 155 00:15:14,310 --> 00:15:20,360 It's opaque. It's very hard to understand and - absolutely, definitely, do not say 156 00:15:20,360 --> 00:15:25,480 that they're sharing information with Facebook. As I said, data sharing happened 157 00:15:25,480 --> 00:15:29,740 before you get to agree to their privacy policy. The other thing that's also worth 158 00:15:29,740 --> 00:15:33,490 remembering is that when to share information with Facebook - doesn't matter 159 00:15:33,490 --> 00:15:39,180 if you have a Facebook account or not, the information still being relayed. The other 160 00:15:39,180 --> 00:15:43,720 interesting thing that you'll notice as well in several of the slides is that the 161 00:15:43,720 --> 00:15:48,760 information that's being shared is tied to your identity through your unique ID 162 00:15:48,760 --> 00:15:54,640 identifiers, also your email address. But basically most of the questions we got 163 00:15:54,640 --> 00:16:00,220 when we released the research was like: oh, if I use a fake email address or if I 164 00:16:00,220 --> 00:16:06,079 use a fake name, is that OK? Well, it's not because even if you have a Facebook 165 00:16:06,079 --> 00:16:13,089 account through your unique identifier, they would definitely be able to trace you 166 00:16:13,089 --> 00:16:21,810 backs. There is no way to actually anonymize this process unless - well at 167 00:16:21,810 --> 00:16:27,420 the end, unless you deliberately trying to trick it and use a separate phone 168 00:16:27,420 --> 00:16:34,040 basically for regular users. It's quite difficult. So this is what it looks like 169 00:16:34,040 --> 00:16:41,620 when you enter the data. So as I said, I didn't lie to you. This is the kind of 170 00:16:41,620 --> 00:16:49,340 questions they're asking you. And this is what it looks like when it's being shared 171 00:16:49,340 --> 00:16:54,930 with Facebook. So you see the symptomes changing, for example, like blood 172 00:16:54,930 --> 00:17:00,339 pressure, swelling, acne, that's all being shipped through craft out Facebook, 173 00:17:00,339 --> 00:17:06,350 through the Facebook SDK. This is what it looks like when they show you 174 00:17:06,350 --> 00:17:11,729 contraceptive practice, so again, like we're talking health data. Here we're 175 00:17:11,729 --> 00:17:17,890 talking sensitive data. We're talking about data that shouldn't normally require 176 00:17:17,890 --> 00:17:22,309 extra steps in terms of collecting it, in terms of how it's being processed. But 177 00:17:22,309 --> 00:17:28,840 nope, in this case it was shared exactly like the rest. This's what it looks like. 178 00:17:28,840 --> 00:17:33,709 Well, so, yeah with sex life it was a little bit different. So that's what it 179 00:17:33,709 --> 00:17:37,511 looks like when they're asking you about, you know, you just had sex, was it 180 00:17:37,511 --> 00:17:44,550 protected? Was it unprotected? The way it was shared with Facebook was a little bit 181 00:17:44,550 --> 00:17:51,490 cryptic, so to speak. So if you have protected sex, it was entered as love "2", 182 00:17:51,490 --> 00:17:57,779 unprotected sex was entered as Love "3". I managed to figure that out pretty quickly. 183 00:17:57,779 --> 00:18:07,000 So it's not so cryptic. That's also quite funny. So Maya had a diary section where 184 00:18:07,000 --> 00:18:12,920 they encourage people to enter like their notes and your personal faults. And I 185 00:18:12,920 --> 00:18:18,680 mean, it's a menstruation app so you can sort of get the idea of what people are 186 00:18:18,680 --> 00:18:21,899 going to be writing down in there or expected to write on. It's not going to be 187 00:18:21,899 --> 00:18:26,429 their shopping list, although shopping lists could also be personal, sensitive, 188 00:18:26,429 --> 00:18:33,049 personal information, but.. So we were wondering what would happen if you were to 189 00:18:33,049 --> 00:18:38,429 write in this in this diary and how this data would be processed. So we entered 190 00:18:38,429 --> 00:18:42,379 literally we entered something very sensitive, entered here. This is what we 191 00:18:42,379 --> 00:18:53,409 wrote. And literally everything we wrote was shared with Facebook. Maya also shared 192 00:18:53,409 --> 00:18:58,080 your health data, not just with Facebook, but with a company called CleverTap that's 193 00:18:58,080 --> 00:19:05,440 based in California. So what's CleverTap? CleverTap is a data broker, basically. 194 00:19:05,440 --> 00:19:11,520 It's a company that - sort of similar to Facebook with the Facebook SDK. They 195 00:19:11,520 --> 00:19:16,950 expect of developers to hand over the data and in exchange app developers get 196 00:19:16,950 --> 00:19:23,679 insights about like how people use the app, what time of day. You know, the age 197 00:19:23,679 --> 00:19:30,789 of their users. They get all sorts of information and analytics out of the data 198 00:19:30,789 --> 00:19:38,889 they share with this company. It took us some time to figure it out because it 199 00:19:38,889 --> 00:19:43,020 shared as wicked wizard? Chris: Wicket Rocket. 200 00:19:43,020 --> 00:19:50,009 Eva: Wicket Rocket, yeah. But that's exactly the same. Everything that was 201 00:19:50,009 --> 00:19:57,340 shared with Facebook was also shared with CleverTap again, with the email address 202 00:19:57,340 --> 00:20:04,989 that we were using - everything. Let's shift. Now, let's look at the other Mia. 203 00:20:04,989 --> 00:20:10,110 It's not just the name that's similar, it's also the data showing practices. Mia 204 00:20:10,110 --> 00:20:18,320 is based in Cypress, so in European Union. I should say, in all cases, regardless of 205 00:20:18,320 --> 00:20:22,120 where the company is based, the moment that they market the product in European 206 00:20:22,120 --> 00:20:29,460 Union, so like literally every app we looked at, they need to - well they should 207 00:20:29,460 --> 00:20:40,479 respect GDPR. Our European data protection law. Now, the first thing that Mia asked 208 00:20:40,479 --> 00:20:44,940 when you started the app and again - I'll get to that later about the significance 209 00:20:44,940 --> 00:20:49,710 of this - is why you're using the app or you using it to try and get pregnant or 210 00:20:49,710 --> 00:20:55,879 are you just using it to try to track your periods? Now, it's interesting because it 211 00:20:55,879 --> 00:21:00,070 doesn't change at all the way you interact with the app eventually. The apps stays 212 00:21:00,070 --> 00:21:05,179 exactly the same. But this is actually the most important kind of data. This is 213 00:21:05,179 --> 00:21:11,419 literally called the germ of data collection. It's trying to know when a 214 00:21:11,419 --> 00:21:15,970 woman is trying to get pregnant or not. So the reason this is the first question they 215 00:21:15,970 --> 00:21:21,389 ask is, well my guess on this is - they want to make sure that like even if you 216 00:21:21,389 --> 00:21:25,630 don't actually use the app that's at least that much information they can collect 217 00:21:25,630 --> 00:21:31,510 about you. And so this information was shared immediately with Facebook and with 218 00:21:31,510 --> 00:21:36,529 AppsFlyer. AppsFlyer is very similar to CleverTap in the way it works. It's also a 219 00:21:36,529 --> 00:21:44,470 company that collects data from these apps and that as services in terms of analytics 220 00:21:44,470 --> 00:21:54,479 and insights into user behavior. It's based in Israel. So this is what it looks 221 00:21:54,479 --> 00:22:04,710 like when you enter the information. Yeah, masturbation, pill. What kind of pill 222 00:22:04,710 --> 00:22:10,760 you're taking, your lifestyle habits. Now where it's slightly different is that the 223 00:22:10,760 --> 00:22:15,960 information doesn't immediately get shared with Facebook but based on the information 224 00:22:15,960 --> 00:22:22,559 you enter, you get articles that are tailored for you. So, for example, like 225 00:22:22,559 --> 00:22:27,359 when you select masturbation, you will get, you know, masturbation: what you want 226 00:22:27,359 --> 00:22:35,850 to know but are ashamed to ask. Now, what's eventually shared with Facebook is 227 00:22:35,850 --> 00:22:43,159 actually the kind of article that's being offered to you. So basically, yes, the 228 00:22:43,159 --> 00:22:50,220 information is shared indirectly because then you know you have Facebook and... 229 00:22:50,220 --> 00:22:52,929 You've just entered masturbation because you're getting an article about 230 00:22:52,929 --> 00:22:58,940 masturbation. So this is what happened when you enter alcohol. So expected 231 00:22:58,940 --> 00:23:02,630 effects of alcohol on a woman's body. That's what happened when you enter 232 00:23:02,630 --> 00:23:06,149 "unprotected sex". So effectively, all the information is still shared just 233 00:23:06,149 --> 00:23:14,440 indirectly through the articles you're getting. Yeah. Last thing also, I should 234 00:23:14,440 --> 00:23:18,449 say on this, in terms of the articles that you're getting, is that sometimes there 235 00:23:18,449 --> 00:23:23,489 was sort of also kind of like crossing the data.. was like.. so the articles will be 236 00:23:23,489 --> 00:23:30,479 about like: oh, you have cramps outside of your periods, for example, like during 237 00:23:30,479 --> 00:23:37,070 your fertile phase. And so you will get the article specifically for this and the 238 00:23:37,070 --> 00:23:42,559 information that's shared with Facebook and with AppsFlyer is that this person is 239 00:23:42,559 --> 00:23:49,470 in their fertile period in this phase of their cycles and having cramps. Now, why 240 00:23:49,470 --> 00:23:52,370 are menstruation apps so obsessed with finding out if you're trying to get 241 00:23:52,370 --> 00:23:59,840 pregnant? And so, this goes back to a lot of the things I mentioned before that, you 242 00:23:59,840 --> 00:24:04,039 know, about wanting to know in the very first place if you're trying to get 243 00:24:04,039 --> 00:24:10,260 pregnant or not. And also, this is probably why a lot of those apps are 244 00:24:10,260 --> 00:24:16,729 trying to really nail down in their language and discourse how you're using 245 00:24:16,729 --> 00:24:23,169 the apps for. When a person is pregnant, they're purchasing habit, their consumer 246 00:24:23,169 --> 00:24:29,910 habits change. Obviously, you know, you buy not only for yourself but you start 247 00:24:29,910 --> 00:24:36,669 buying for others as well. But also you're buying new things you've never purchased 248 00:24:36,669 --> 00:24:41,549 before. So what a regular person will be quite difficult to change her purchasing 249 00:24:41,549 --> 00:24:47,549 habit was a person that's pregnant. They'll be advertisers will be really keen 250 00:24:47,549 --> 00:24:52,869 to target them because this is a point of their life where their habits change and 251 00:24:52,869 --> 00:24:58,440 where they can be more easily influenced one way or another. So in other words, 252 00:24:58,440 --> 00:25:03,960 it's pink advertising time. In other more words and pictures, there's research done 253 00:25:03,960 --> 00:25:12,119 in 2014 in the US that was trying to sort of evaluate the value of data for a 254 00:25:12,119 --> 00:25:19,320 person. So an average American person that's not pregnant was 10 cents. A person 255 00:25:19,320 --> 00:25:29,250 who's pregnant would be one dollar fifty. So you may have noticed we using the past 256 00:25:29,250 --> 00:25:33,020 tense when we talked about - well I hope I did when I was speaking definitely into 257 00:25:33,020 --> 00:25:38,359 the lights at least - we used the past tense when we talk about data sharing of 258 00:25:38,359 --> 00:25:43,330 these apps. That's because both Maya and MIA, which were the two apps we were 259 00:25:43,330 --> 00:25:47,980 really targeting with this report, stop using the Facebook SDK when we wrote to 260 00:25:47,980 --> 00:25:51,089 them about our research before we published it. 261 00:25:51,089 --> 00:26:00,789 *applause* So it was quite nice because he didn't 262 00:26:00,789 --> 00:26:05,690 even like rely on actually us publishing the report. It was merely at a stage of 263 00:26:05,690 --> 00:26:09,979 like, hey, this is all right of response. We're gonna be publishing this. Do you 264 00:26:09,979 --> 00:26:13,549 have anything to say about this? And essentially what they had to say is like: 265 00:26:13,549 --> 00:26:21,260 "Yep, sorry, apologies. We are stopping this." I think, you know.. What's really 266 00:26:21,260 --> 00:26:27,529 interesting as well to me about like the how quick the response was is.. it really 267 00:26:27,529 --> 00:26:34,159 shows how this is not a vital service for them. This is a plus. This is something 268 00:26:34,159 --> 00:26:41,679 that's a useful tool. But the fact that they immediately could just stop using it, 269 00:26:41,679 --> 00:26:48,269 I think really shows that, you know, it was.. I wouldn't see a lazy practice, but 270 00:26:48,269 --> 00:26:53,169 it's a case of light. As long as no one's complaining, then you are going to carry 271 00:26:53,169 --> 00:27:00,299 on using it. And I think that was also the discourse with your research. There was 272 00:27:00,299 --> 00:27:02,709 also a lot that changed their behaviors after. 273 00:27:02,709 --> 00:27:06,499 Chris: A lot of the developers sometimes don't even realize necessarily what data 274 00:27:06,499 --> 00:27:12,009 they're up to sharing with people like Facebook, with people like CleverTap. They 275 00:27:12,009 --> 00:27:16,649 just integrate the SDK and hope for the best. 276 00:27:16,649 --> 00:27:22,249 Eva: We also got this interesting response from AppsFlyer is that it's very 277 00:27:22,249 --> 00:27:26,899 hypocritical. Essentially, what they're saying is like oh, like we specifically 278 00:27:26,899 --> 00:27:33,549 ask our customers or oh, yeah, do not share health data with us specifically for 279 00:27:33,549 --> 00:27:37,679 the reason I mentioned earlier, which is what? Because of GDPR, you're normally 280 00:27:37,679 --> 00:27:44,519 expected to take extra step when you process sensitive health data. So their 281 00:27:44,519 --> 00:27:48,809 response is that they as their customer to not share health data or sensitive 282 00:27:48,809 --> 00:27:54,900 personal data so they don't become liable in terms of the law. So they were like, 283 00:27:54,900 --> 00:27:59,909 oh, we're sorry, like this is a breach of contract. Now, the reason is very 284 00:27:59,909 --> 00:28:04,289 hypocritical is that obviously when you have contracts with menstruation apps and 285 00:28:04,289 --> 00:28:07,860 actually Maya was not the only menstruation apps that we're working with. 286 00:28:07,860 --> 00:28:12,230 I mean, you know, what can you generally expect in terms of the kind of data you're 287 00:28:12,230 --> 00:28:19,139 gonna receive? So here's a conclusion for us that research works. It's fun, it's 288 00:28:19,139 --> 00:28:26,979 easy to do. You know, Chris has not published the environment. It doesn't 289 00:28:26,979 --> 00:28:32,539 actually - once the environment is sort of set up it doesn't actually require 290 00:28:32,539 --> 00:28:36,820 technical background, as you saw from the slides it's pretty straightforward to 291 00:28:36,820 --> 00:28:41,959 actually understand how the data is being shared. So you should do it, too. But more 292 00:28:41,959 --> 00:28:46,989 broadly, we think it's really important to do more research, not just at this stage 293 00:28:46,989 --> 00:28:54,269 of the process, but generally about the security and the data and the data showing 294 00:28:54,269 --> 00:29:00,139 practices of apps, because, you know, it's hard law and more and more people are 295 00:29:00,139 --> 00:29:05,679 using or interacting with technology and using the Internet. So we need to do think 296 00:29:05,679 --> 00:29:10,510 much more carefully about the security implication of the apps we use and 297 00:29:10,510 --> 00:29:15,639 obviously it works. Thank you. 298 00:29:15,639 --> 00:29:25,369 *applause* 299 00:29:25,369 --> 00:29:29,519 Herald: Thank you. So, yeah, please line up in front of the microphones. We can 300 00:29:29,519 --> 00:29:33,869 start with microphone two. Mic 2: Hi. Thank you. So you mentioned 301 00:29:33,869 --> 00:29:39,119 that now we can check whether our data is being shared with third parties on the 302 00:29:39,119 --> 00:29:42,460 path between the user and the developer. But we cannot know for all the other apps 303 00:29:42,460 --> 00:29:46,279 and for these, what if it's not being shared later from the developer, from the 304 00:29:46,279 --> 00:29:51,859 company to other companies. Have you conceptualize some ways of testing that? 305 00:29:51,859 --> 00:29:55,659 Is it possible? Chris: Yes. So you could do it, data 306 00:29:55,659 --> 00:30:03,979 separate access request and the GDPR that would... like the problem is it's quite 307 00:30:03,979 --> 00:30:11,299 hard to necessarily know. How the process - how the system outside of the app to 308 00:30:11,299 --> 00:30:16,139 serve relationship is quite hard to know the processes of that data and so it is 309 00:30:16,139 --> 00:30:20,309 quite opaque. They might apply a different identifier too, they might do other 310 00:30:20,309 --> 00:30:23,859 manipulations to that data so trying to track down and prove this bit of data 311 00:30:23,859 --> 00:30:28,700 belong to you. It's quite challenging. Eva: This is something we're going to try. 312 00:30:28,700 --> 00:30:32,070 We're going to be doing in 2020, actually. We're going to be doing data subject 313 00:30:32,070 --> 00:30:38,330 access request of those apps that we've been looking up to see if we find anything 314 00:30:38,330 --> 00:30:43,549 both under GDPR but also under different data protection laws in different 315 00:30:43,549 --> 00:30:49,980 countries. To see basically what we get, how much we can obtain from that. 316 00:30:49,980 --> 00:30:54,960 Herald: So I'd go with the signal angle. Signal: So what advice can you give us on 317 00:30:54,960 --> 00:31:00,330 how we can make people understand that from a privacy perspective, it's better to 318 00:31:00,330 --> 00:31:05,280 use pen and paper instead of entering sensitive data into any of these apps? 319 00:31:05,280 --> 00:31:10,440 Eva: I definitely wouldn't advise that. I wouldn't advise pen and paper. I think for 320 00:31:10,440 --> 00:31:17,359 us like really the key... The work we are doing is not actually targeting users. 321 00:31:17,359 --> 00:31:21,280 It's targeting companies. We think it's companies that really need to do better. 322 00:31:21,280 --> 00:31:26,269 We're often ask about, you know, advice to customers or advice to users and 323 00:31:26,269 --> 00:31:32,029 consumers. But what I think and what we've been telling companies as well is that, 324 00:31:32,029 --> 00:31:36,190 you know, their users trust you and they have the right to trust you. They also 325 00:31:36,190 --> 00:31:40,969 have the right to expect that you're respecting the law. The European Union has 326 00:31:40,969 --> 00:31:47,429 a very ambitious legislation when it comes to privacy with GDPR. And so the least 327 00:31:47,429 --> 00:31:55,950 they can expect is that you're respecting the law. And so, no, I would ... and this 328 00:31:55,950 --> 00:31:59,539 is the thing, I think people have the right to use those apps, they have the 329 00:31:59,539 --> 00:32:03,850 right to say, well, this is a useful service for me. It's really companies that 330 00:32:03,850 --> 00:32:08,210 need you. They need to up their game. They need to live up to the expectations of 331 00:32:08,210 --> 00:32:15,600 their consumers. Not the other way around. Herald: Microphone 1. 332 00:32:15,600 --> 00:32:19,219 Mic 1: Hi. So from the talk, it seems and I think that's what you get, you mostly 333 00:32:19,219 --> 00:32:23,320 focused on Android based apps. Can you maybe comment on what the situation is 334 00:32:23,320 --> 00:32:27,219 with iOS? Is there any technical difficulty or is it anything completely 335 00:32:27,219 --> 00:32:30,719 different with respect to these apps and apps in general? 336 00:32:30,719 --> 00:32:33,669 Chris: There's not really a technical difficulty like the setup a little bit 337 00:32:33,669 --> 00:32:38,799 different, but functionally you can look at the same kind of data. The focus here, 338 00:32:38,799 --> 00:32:44,960 though, is also.. So it's two-fold in some respects. Most of the places that these 339 00:32:44,960 --> 00:32:49,940 apps are used are heavily dominated Android territories, places like India, 340 00:32:49,940 --> 00:32:55,529 the Philippines. iOS penetration there, uh, Apple device penetration there is very 341 00:32:55,529 --> 00:33:01,979 low. There's no technical reason not to look at Apple devices. But like in this 342 00:33:01,979 --> 00:33:06,779 particular context, it's not necessarily hugely relevant. So does that answer your 343 00:33:06,779 --> 00:33:08,989 question? Mic 1: And technically with youre set-up, 344 00:33:08,989 --> 00:33:12,060 you could also do the same analysis with an iOS device? 345 00:33:12,060 --> 00:33:17,339 Chris: Yeah. As I said it's a little bit of a change to how you... You have to 346 00:33:17,339 --> 00:33:22,489 register the device as an MDM dev.. like a mobile profile device. Otherwise you can 347 00:33:22,489 --> 00:33:30,809 do the exact same level of interception. Mic: Uh, hi. My question is actually 348 00:33:30,809 --> 00:33:33,210 related to the last question is a little bit technical. 349 00:33:33,210 --> 00:33:35,619 Chris: Sure. Mic: I'm also doing some research on apps 350 00:33:35,619 --> 00:33:39,539 and I've noticed with the newest versions of Android that they're making more 351 00:33:39,539 --> 00:33:44,289 difficult to install custom certificates to have this pass- through and check what 352 00:33:44,289 --> 00:33:49,070 the apps are actually communicating to their home servers. Have you find a way to 353 00:33:49,070 --> 00:33:54,029 make this easier? Chris: Yes. So we actually hit the same 354 00:33:54,029 --> 00:34:01,539 issue as you in some respects. So the installing of custom certificates was not 355 00:34:01,539 --> 00:34:05,550 really an obstacle because you can add to the user if it's a rich device, you can 356 00:34:05,550 --> 00:34:13,510 add them to the system store and they are trusted by all the apps on the device. The 357 00:34:13,510 --> 00:34:19,330 problem we're now hitting is the Android 9 and 10 have TLS 1.3 and TLS 1.3 358 00:34:19,330 --> 00:34:24,340 to text as a man in the middle or at least it tries to might terminate the 359 00:34:24,340 --> 00:34:28,760 connection. Uh, this is a bit of a problem. So currently all our research is 360 00:34:28,760 --> 00:34:37,490 still running on Android 8.1 devices. This isn't going to be sustainable long term. 361 00:34:37,490 --> 00:34:43,210 Herald: Um, 4. Mic 4: Hey, thank you for the great talk. 362 00:34:43,210 --> 00:34:47,250 Your research is obviously targeted in a constructive, critical way towards 363 00:34:47,250 --> 00:34:53,250 companies that are making apps surrounding menstrual research. Did you learn anything 364 00:34:53,250 --> 00:34:57,210 from this context that you would want to pass on to people who research this area 365 00:34:57,210 --> 00:35:03,360 more generally? I'm thinking, for example, of Paramount Corp in the US, who've done 366 00:35:03,360 --> 00:35:07,700 micro dosing research on LSD and are starting a breakout study on menstrual 367 00:35:07,700 --> 00:35:12,080 issues. Eva: Well, I think this is why I was 368 00:35:12,080 --> 00:35:15,980 concluded on it. I think there is a there's still a lot of research that needs 369 00:35:15,980 --> 00:35:21,090 to be done in terms of the sharing. And obviously, I think anything that touches 370 00:35:21,090 --> 00:35:27,830 on people's health is a key priority because it's something people relate very 371 00:35:27,830 --> 00:35:33,750 strongly to. The consequences, especially in the US, for example, of sharing health 372 00:35:33,750 --> 00:35:38,700 data like this, of having - you know - data, even like your blood pressure and so 373 00:35:38,700 --> 00:35:42,760 on. Like what are the consequences if those informations are gonna be shared, 374 00:35:42,760 --> 00:35:46,590 for example, with like insurance companies and so on. This is what I think is 375 00:35:46,590 --> 00:35:52,470 absolutely essential to have a better understanding of the data collection and 376 00:35:52,470 --> 00:35:57,570 sharing practices of the services. The moments when you have health data that's 377 00:35:57,570 --> 00:35:59,720 being involved. Chris: .. yeah because we often focus 378 00:35:59,720 --> 00:36:06,000 about this being an advertising issue. But in that sense as well, insurance and even 379 00:36:06,000 --> 00:36:09,950 credit referencing of all sorts of other things become problematic, especially when 380 00:36:09,950 --> 00:36:14,750 it comes to pregnancy related. Eva: Yeah, even employers could be after 381 00:36:14,750 --> 00:36:18,510 this kind of information. Herald: Six. 382 00:36:18,510 --> 00:36:24,450 Mic 6: Hi. I'm wondering if there is an easy way or a tool which we can use to 383 00:36:24,450 --> 00:36:32,580 detect if apps are using our data or are reporting them to Facebook or whatever. Or 384 00:36:32,580 --> 00:36:39,830 if we can even use those apps but block this data from being reported to Facebook. 385 00:36:39,830 --> 00:36:45,650 Chris: Yes. So, you can file all of faith graft on Facebook.com and stop sending 386 00:36:45,650 --> 00:36:51,770 data to that. There's a few issues here. Firstly, it doesn't really like.. This 387 00:36:51,770 --> 00:36:57,940 audience can do this. Most users don't have the technical nuance to know what 388 00:36:57,940 --> 00:37:02,390 needs to be blocked, what doesn't necessarily need to be blocked. It's on 389 00:37:02,390 --> 00:37:07,300 the companies to be careful with users data. It's not up to the users to try and 390 00:37:07,300 --> 00:37:13,500 defend against.. It shouldn't be on the use to defend against malicious data 391 00:37:13,500 --> 00:37:17,490 sharing or... Eva: You know... also one interesting 392 00:37:17,490 --> 00:37:21,930 thing is that if Facebook had put this in place of light where you could opt out 393 00:37:21,930 --> 00:37:25,470 from data sharing with the apps you're using, but that only works if you're a 394 00:37:25,470 --> 00:37:29,840 Facebook user. And as I said, like this data has been collected whether you are a 395 00:37:29,840 --> 00:37:34,230 user or not. So in a sense, for people who aren't Facebook users, they couldn't opt 396 00:37:34,230 --> 00:37:37,720 out of this. Chris: The Facebook SDK the developers are 397 00:37:37,720 --> 00:37:46,690 integrating the default state for sharing of data is on, the flag is true. And 398 00:37:46,690 --> 00:37:56,480 although they have a long legal text on the help pages for the developer tools, 399 00:37:56,480 --> 00:38:00,540 it's like unless you have a decent understanding of local data protection 400 00:38:00,540 --> 00:38:04,890 practice or local protection law. It's like it's not it's not something that most 401 00:38:04,890 --> 00:38:08,840 developers are gonna be able to understand why this flag should be something 402 00:38:08,840 --> 00:38:16,320 different from on. You know there's loads of flags in the SDK, which flags should be 403 00:38:16,320 --> 00:38:21,930 on and off, depending on which jurisdiction you're selling to, or users 404 00:38:21,930 --> 00:38:27,240 going to be in. Herald: Signal Angel, again. 405 00:38:27,240 --> 00:38:31,530 Singal: Do you know any good apps which don't share data and are privacy friendly? 406 00:38:31,530 --> 00:38:37,120 Probably even one that is open source. Eva: So, I mean, as in the problem which 407 00:38:37,120 --> 00:38:43,260 is why I wouldn't want to vouch for any app is that even in the apps that, you 408 00:38:43,260 --> 00:38:48,500 know, where in terms of like the traffic analysis we've done, we didn't see any any 409 00:38:48,500 --> 00:38:53,160 data sharing. As Chris was explaining, the data can be shared at a later stage and 410 00:38:53,160 --> 00:39:00,720 it'd be impossible for us to really find out. So.. no, I can't be vouching for any 411 00:39:00,720 --> 00:39:04,650 app. I don't know if you can... Chris: The problem is we can't ever look 412 00:39:04,650 --> 00:39:10,810 like one specific moment in time to see whether data is being shared, unlike what 413 00:39:10,810 --> 00:39:17,690 was good today might bad tomorrow. What was bad yesterday might be good today. 414 00:39:17,690 --> 00:39:25,230 Although, I was in Argentina recently speaking to a group of feminist activists, 415 00:39:25,230 --> 00:39:31,860 and they have been developing a menstruation tracking app. And the app was 416 00:39:31,860 --> 00:39:37,800 removed from the Google Play store because it had illustrations that were deemed 417 00:39:37,800 --> 00:39:42,500 pornographic. But they were illustrations around medical related stuff. So even 418 00:39:42,500 --> 00:39:45,170 people, who were trying to do the right thing, going through the open source 419 00:39:45,170 --> 00:39:49,720 channels are still fighting a completely different issue when it comes to 420 00:39:49,720 --> 00:39:52,940 menstruation tracking. It's a very fine line. 421 00:39:52,940 --> 00:39:57,330 Herald: Um, three. *inaudible* 422 00:39:57,330 --> 00:40:01,770 Eva: Sorry, can't hear -the Mic's not working. 423 00:40:01,770 --> 00:40:04,790 Herald: Microphone three. Mic 3: Test. 424 00:40:04,790 --> 00:40:09,850 Eva: Yeah, it's great - perfect. Mic 3: I was wondering if the graph API 425 00:40:09,850 --> 00:40:16,560 endpoint was actually in place to trick menstruation data or is it more like a 426 00:40:16,560 --> 00:40:22,970 general purpose advertisement tracking thing or. Yeah. 427 00:40:22,970 --> 00:40:29,360 Chris: So my understanding is that there's two broad kinds of data that Facebook gets 428 00:40:29,360 --> 00:40:35,970 as automated app events that Facebook were aware of. So app open, app close, app 429 00:40:35,970 --> 00:40:41,760 install, relinking. Relinking is quite an important one for Facebook. That way they 430 00:40:41,760 --> 00:40:44,940 check to see whether you already have a Facebook account logged in to log the app 431 00:40:44,940 --> 00:40:49,950 to your Facebook account when standing. There's also a load of custom events that 432 00:40:49,950 --> 00:40:55,400 the app developers can put in. There is then collated back to a data set - I would 433 00:40:55,400 --> 00:41:01,520 imagine on the other side. So when it comes to things like whether it's nausea 434 00:41:01,520 --> 00:41:06,390 or some of the other health issues, it is actually being cross-referenced by the 435 00:41:06,390 --> 00:41:11,820 developer. Does that answer your question? Mic 3: Yes, thank you. 436 00:41:11,820 --> 00:41:16,320 Herald: Five, microphone five. Mic 5: Can you repeat what you said in the 437 00:41:16,320 --> 00:41:23,290 beginning about the menstruation apps used in Europe, especially Clue and the Period 438 00:41:23,290 --> 00:41:29,860 Tracker? Yeah. So those are the most popular apps actually across the world, 439 00:41:29,860 --> 00:41:35,100 not just in Europe and the US. A lot of them in terms of like the traffic analysis 440 00:41:35,100 --> 00:41:40,980 stage, a lot of them have not clean up their app. So we can't see any any data 441 00:41:40,980 --> 00:41:46,090 sharing happening at that stage. But as I said, I can't be vouching for them and 442 00:41:46,090 --> 00:41:49,680 saying, oh, yeah, those are safe and fine to use because we don't know what's 443 00:41:49,680 --> 00:41:54,310 actually happening to the data once it's been collected by the app. All we can say 444 00:41:54,310 --> 00:42:01,870 is that as far as the research we've done goes, we didn't see any data being shed 445 00:42:01,870 --> 00:42:06,750 Chris: Those apps you mentioned have been investigated by The Wall Street Journal 446 00:42:06,750 --> 00:42:11,790 and The New York Times relatively recently. So they've been.. had quite like 447 00:42:11,790 --> 00:42:15,720 a spotlight on them. So they've had to really up their game and a lot of ways 448 00:42:15,720 --> 00:42:20,590 which we would like everyone to do. But as Eva says, we don't know what else they 449 00:42:20,590 --> 00:42:24,740 might be doing with that data on their side, not necessarily between the phone 450 00:42:24,740 --> 00:42:29,150 and the server but from their server to another server. 451 00:42:29,150 --> 00:42:32,510 Herald: Microphone one. Mic 1: Hi. Thank you for the insightful 452 00:42:32,510 --> 00:42:37,620 talk. I have a question that goes in a similar direction. Do you know whether or 453 00:42:37,620 --> 00:42:44,080 not these apps, even if they adhere to GDPR rules collect the data to then at a 454 00:42:44,080 --> 00:42:48,850 later point at least sell it to the highest bidder? Because a lot of them are 455 00:42:48,850 --> 00:42:53,160 free to use. And I wonder what is their main goal besides that? 456 00:42:53,160 --> 00:42:58,440 Eva: I mean, the advertisement his how they make profit. And so, I mean, the 457 00:42:58,440 --> 00:43:04,450 whole question about them trying to know if you're pregnant or not is that this 458 00:43:04,450 --> 00:43:11,540 information can eventually be - you know - be monetized through, you know, through 459 00:43:11,540 --> 00:43:17,070 how they target the advertisement at you. Actually when you're using those apps, you 460 00:43:17,070 --> 00:43:20,340 can see in some of the slides, like you're constantly like being flushed with like 461 00:43:20,340 --> 00:43:25,630 all sorts of advertisement on the app, you know, whether they are selling it 462 00:43:25,630 --> 00:43:31,470 externally or not - I can't tell. But what I can tell is, yeah, your business model 463 00:43:31,470 --> 00:43:34,960 is advertisement and so they are deriving profit from the data they collect. 464 00:43:34,960 --> 00:43:40,410 Absolutely. Herald: Again, on microphone one. 465 00:43:40,410 --> 00:43:44,600 Mic 1: Thank you. I was wondering if there was more of a big data kind of aspect to 466 00:43:44,600 --> 00:43:50,080 it as well, because these are really interesting medical information on women’s 467 00:43:50,080 --> 00:43:54,560 cycles in general. Eva: Yeah, and the answer is, like, I call 468 00:43:54,560 --> 00:43:58,030 it—this is a bit of a black box and especially in the way, for example, that 469 00:43:58,030 --> 00:44:03,100 Facebook is using this data like we don't know. We can assume that this is like part 470 00:44:03,100 --> 00:44:07,280 of the … we could assume this is part of the profiling that Facebook does of both 471 00:44:07,280 --> 00:44:13,400 their users and their non-users. But the way the way this data is actually 472 00:44:13,400 --> 00:44:19,510 processed also by those apps through data brokers and so on, it’s a bit of a black 473 00:44:19,510 --> 00:44:27,530 box. Herald: Microphone 1. 474 00:44:27,530 --> 00:44:32,030 Mic 1: Yeah. Thank you a lot for your talk and I have two completely different 475 00:44:32,030 --> 00:44:37,630 questions. The first one is: you've been focusing a lot on advertising and how this 476 00:44:37,630 --> 00:44:44,940 data is used to sell to advertisers. But I mean, like you aim to be pregnant or not. 477 00:44:44,940 --> 00:44:48,810 It's like it has to be the best kept secret, at least in Switzerland for any 478 00:44:48,810 --> 00:44:54,430 female person, because like if you also want to get employed, your employer must 479 00:44:54,430 --> 00:44:59,740 not know whether or not you want to get pregnant. And so I would like to ask, 480 00:44:59,740 --> 00:45:06,230 like, how likely is it that this kind of data is also potentially sold to employers 481 00:45:06,230 --> 00:45:12,000 who may want to poke into your health and reproductive situation? And then my other 482 00:45:12,000 --> 00:45:17,290 question is entirely different, because we also know that female health is one of the 483 00:45:17,290 --> 00:45:22,220 least researched topics around, and that's actually a huge problem. Like so little is 484 00:45:22,220 --> 00:45:27,510 actually known about female health and the kind of data that these apps collect is 485 00:45:27,510 --> 00:45:34,310 actually a gold mine to advance research on health issues that are specific for 486 00:45:34,310 --> 00:45:38,920 certain bodies like female bodies. And so I would also like to know like how would 487 00:45:38,920 --> 00:45:43,860 it be possible to still gather this kind of data and still to collect it, but use 488 00:45:43,860 --> 00:45:48,490 it for like a beneficial purpose, like it to improve knowledge on these issues? 489 00:45:48,490 --> 00:45:53,690 Eva: Sure. So to answer your first question, the answer will be similar to 490 00:45:53,690 --> 00:45:58,300 the previous answer I gave, which is, you know, it's black box problem. It's like 491 00:45:58,300 --> 00:46:02,410 it's very difficult to know exactly, you know, what's actually happening to this 492 00:46:02,410 --> 00:46:08,570 data. Obviously, GDPR is there to prevent something from happening. But as we've 493 00:46:08,570 --> 00:46:17,890 seen from these apps, like they were, you know, towing a very blurry line. And so 494 00:46:17,890 --> 00:46:22,360 the risk, obviously, of … this is something that can’t be relia…. I can't be 495 00:46:22,360 --> 00:46:26,290 saying, oh, this is happening because I have no evidence that this is happening. 496 00:46:26,290 --> 00:46:31,760 But obviously, the risk of multiple, the risk of like employers, as you say, the 497 00:46:31,760 --> 00:46:36,490 insurance companies that could get it, that political parties could get it and 498 00:46:36,490 --> 00:46:40,960 target their messages based on information they have about your mood, about, you 499 00:46:40,960 --> 00:46:45,260 know, even the fact that you're trying to start a family. So, yeah, there is a very 500 00:46:45,260 --> 00:46:50,240 broad range of risk. The advertisement we know for sure is happening because this is 501 00:46:50,240 --> 00:46:55,850 like the basis of their business model. The risk, the range of risk is very, very 502 00:46:55,850 --> 00:46:59,940 broad. Chris: To just expand on that: Again, as 503 00:46:59,940 --> 00:47:05,430 Eva said, we can't point out a specific example of any of this. But if you look at 504 00:47:05,430 --> 00:47:10,260 some of the other data brokers, her experience as a data broker, they collect. 505 00:47:10,260 --> 00:47:16,350 They have a statutory response. In the UK is a statutory job of being a credit 506 00:47:16,350 --> 00:47:23,520 reference agency, but they also run what is believed to be armed data enrichment. 507 00:47:23,520 --> 00:47:29,200 One of the things her employers could do is by experience data to when hiring 508 00:47:29,200 --> 00:47:35,690 staff. Like I can't say that if this data ever ends up there. But, you know, as they 509 00:47:35,690 --> 00:47:41,120 all collect, there is people collecting data and using it for some level of 510 00:47:41,120 --> 00:47:45,450 auditing. Eva: And to transfer your second question. 511 00:47:45,450 --> 00:47:49,810 I think this is a very important problem you point out is the question of data 512 00:47:49,810 --> 00:47:56,230 inequality and whose data gets collected for what purpose. There is I do quite a 513 00:47:56,230 --> 00:48:01,100 lot of work on delivery of state services. For example, when there are populations 514 00:48:01,100 --> 00:48:05,940 that are isolated, not using technology and so on. You might just be missing out 515 00:48:05,940 --> 00:48:12,450 on people, for example, who should be in need of health care or state 516 00:48:12,450 --> 00:48:18,120 support and so on. Just because you like data about about them. And so, female 517 00:48:18,120 --> 00:48:24,260 health is obviously a very key issue. We just, we literally lack sufficient health 518 00:48:24,260 --> 00:48:30,520 data about about woman on women's health specifically. Now, in terms of how data is 519 00:48:30,520 --> 00:48:35,550 processed in medical research, then there's actually protocol a in place 520 00:48:35,550 --> 00:48:40,470 normally to ensure, to ensure consent, to ensure explicit consent, to ensure that 521 00:48:40,470 --> 00:48:47,210 the data is properly collected. And so I think I wouldn't want you means that you, 522 00:48:47,210 --> 00:48:52,010 just because the way does apps. I've been collecting data. If you know, if there's 523 00:48:52,010 --> 00:48:56,980 one thing to take out of this of this dog is that, it's been nothing short of 524 00:48:56,980 --> 00:49:02,370 horrifying, really. That data is being collected before and shared before you 525 00:49:02,370 --> 00:49:06,320 even get your consent to anything. I wouldn't trust any of these private 526 00:49:06,320 --> 00:49:16,100 companies to really be the ones carrying well taking part in in in medical research 527 00:49:16,100 --> 00:49:22,750 or on those. So I agree with you that there is a need for better and more data 528 00:49:22,750 --> 00:49:28,860 on women's health. But I don't think. I don't think any of these actors so far 529 00:49:28,860 --> 00:49:33,900 have proved to be trusted on this issue. Herald: Microphone 2. 530 00:49:33,900 --> 00:49:37,010 Mic 2: Yeah. Thank you for this great talk. Um. Short question. What do you 531 00:49:37,010 --> 00:49:42,280 think is the rationale of, uh, this menstruation apps to integrate the 532 00:49:42,280 --> 00:49:46,470 Facebook SDK if they don't get money from Facebook? OK, uh. Being able to 533 00:49:46,470 --> 00:49:54,160 commercialize and this data. Chris: Good question. Um, it could be a 534 00:49:54,160 --> 00:50:00,910 mix of things. So sometimes it's literally the the the developers literally just have 535 00:50:00,910 --> 00:50:05,110 this as part of their tool chain their workflow when they're developing apps. I 536 00:50:05,110 --> 00:50:08,280 don't necessarily know about these two peer trackers where other apps are 537 00:50:08,280 --> 00:50:14,080 developed by these companies. But, uh, in our in our previous work, which I 538 00:50:14,080 --> 00:50:18,630 presented last year, we find that some companies just produce a load of apps and 539 00:50:18,630 --> 00:50:22,550 they just use the same tool chain every time. That includes by default. The 540 00:50:22,550 --> 00:50:29,550 Facebook SDK is part of a tool chain. Uh, some of them are like included for what I 541 00:50:29,550 --> 00:50:34,270 would regard as genuine purposes. Like they want their users to share something 542 00:50:34,270 --> 00:50:37,780 or they want their users to be able to log in with Facebook and those cases, they 543 00:50:37,780 --> 00:50:42,210 included, for what would be regarded a legitimate reason below them. Just don't 544 00:50:42,210 --> 00:50:47,760 ever actually they haven't integrated it does appearance and they don't ever really 545 00:50:47,760 --> 00:50:52,070 use anything of it other than that. Mean that there are a lot of developers simply 546 00:50:52,070 --> 00:51:02,460 quite unaware of the default state is verbose and how it sends data to Facebook. 547 00:51:02,460 --> 00:51:06,220 Herald: Yeah. Maybe we be close with one last question from me. Um, it doesn't it's 548 00:51:06,220 --> 00:51:12,120 usually a bunch of ups. How many of them do certificate pinning? Uh, we see this as a 549 00:51:12,120 --> 00:51:16,920 widespread policy or... Chris: Are they just not really. Yet. I 550 00:51:16,920 --> 00:51:21,930 would have a problem doing an analysis where stuff could've been pinned. You say 551 00:51:21,930 --> 00:51:28,710 TLS 1.3 is proven to be more problematic than pinning. Uh, yeah. 552 00:51:28,710 --> 00:51:32,410 Herald: Ok, well, thank you so much. And, uh. Yeah. 553 00:51:32,410 --> 00:51:40,520 *Applause* 554 00:51:40,520 --> 00:51:44,200 *36C3 Postroll music* 555 00:51:44,200 --> 00:52:08,000 Subtitles created by c3subtitles.de in the year 2020. Join, and help us!