The privacy trade-offs of cheap Android smartphones
Seventeen dollars for a smartphone sounds like a great deal, especially for people living in poverty who can barely afford rent.
But there’s a problem: low-cost smartphones are privacy nightmares.
According to an analysis by the advocacy group Privacy International, a $17 Android smartphone called MYA2 MyPhone, which was launched in December 2017, has a host of privacy problems that make its owner vulnerable to hackers and to data-hungry tech companies.
First, it comes with an outdated version of Android with known security vulnerabilities that can’t be updated or patched. The MYA2 also has apps that can’t be updated or deleted, and those apps contain multiple security and privacy flaws. One of those pre-installed apps that can’t be removed, Facebook Lite, gets default permission to track everywhere you go, upload all your contacts, and read your phone’s calendar. The fact that Facebook Lite can’t be removed is especially worrying because the app suffered a major privacy snafu earlier this year when hundreds of millions of Facebook Lite users had their passwords exposed. Facebook did not respond to request for comment.
Philippines-based MyPhone said the specs of the MYA2 limited it to shipping the phone with Android 6.0, and since then it says it has “lost access and support to update the apps we have pre-installed” with the device. Given that the MYA2 phone, like many low-cost Android smartphones, runs outdated versions of the Android OS and can’t be updated due to their hardware limitations, users of such phones are limited to relatively light privacy protections compared to what modern OSes, like Android 10, offer today.
The MYA2 is just one example of how cheap smartphones leak personal information, provide few if any privacy protections, and are incredibly easy to hack compared to their more expensive counterparts.
Yet millions of Americans who can’t afford to buy a computer or install broadband internet at home often have no choice but to use such devices, which become their sole means of accessing the internet. If they want to enjoy the same basic conveniences that people in higher socioeconomic tiers have—such as transportation directions, online bill pay, and email—they may have to give up their privacy in exchange.
Last month, researchers Jan Fernback and Gwen Shaffer from the Media, Inequality, and Change (MIC) Center, a joint venture between the University of Pennsylvania and Rutgers University, published a study based on focus groups with 79 Americans who rely primarily on their phones to get online. What they found was disturbing: “Nearly all study participants shared stories of relinquishing their data privacy, which we consider to be a basic civil right, in exchange for the ability to access online services and platforms,” the researchers write.
Researchers refer to this group of people—about one in five American adults today, according to data from Pew Research—as “smartphone-only” internet users. In the United States, these users are mainly made up of economically disadvantaged individuals, who are disproportionately black and Hispanic.
But this is a global problem as well. The World Advertising Research Center (WARC) says that as of this year, two billion people globally currently access the internet via only their smartphone—or 51% of total internet users. That number is on track to skyrocket in the next five years. By 2025, WARC estimates that 3.7 billion people, or over 72% of projected internet users, will be smartphone-only internet users.
The downside of smartphones
It’s not just the apps and operating system on low-cost smartphones like the MYA2 MyPhone that are the problem. As the MIC Center’s white paper shows, the very nature of the smartphone leaves users more vulnerable than personal computers do.
Compared to desktop computers, smartphones collect much more data about a user, including health data and real-time geolocation data, and this information is often sent to outside parties like Facebook and data brokers. This means, for example, that external actors could use data about how often you’ve been in a church to infer how religious you are, or they could analyze leaked women’s menstrual data to determine if they are pregnant. On top of this, some nation-states can and often do work hand in hand with cellular service providers to help access this data, which allows Orwellian-leaning governments to track entire groups of people.
Further, many smartphones also do not have basic protections like firewalls that come with computers. Security patches are often slow to arrive on low-cost smartphones—or are never patched at all. While most personal computers can be hacked over a Wi-Fi connection, smartphones have many more vectors of attack, including over cellular and Bluetooth connections.
Because they aren’t turned off or put to sleep at night like computers often are, smartphones also generally send and collect data 24 hours a day. This means the data they leak, either voluntarily or through security vulnerabilities, flows around the clock. Just one such example: by default, many apps on low-cost Android smartphones have access to your location 24 hours a day, meaning companies can infer where you sleep by simply seeing when your phone’s location stops moving for the day.
To be clear, it’s possible to be an online-only smartphone user and still retain a relatively high degree of privacy. Getting an iPhone–even an older, used one–is one way to do this. However, economically disadvantaged people often can’t afford a luxury like a high-end iPhone or an Android flagship with better privacy protections. As a result, tens of millions of Americans and billions of other people across the world have little choice but to sacrifice their privacy and security if they want to get online, which is a virtual necessity in today’s world.
As Pew has pointed out, the internet is an essential resource for job seekers. When was the last time you saw a job posted in the “help wanted” section of a newspaper before being posted on LinkedIn or Monster.com? Yet people in lower socioeconomic tiers are condemned to having less privacy than their wealthier counterparts if they want to access the same essential resources simply because of the devices they are able to afford.
“Some focus group participants reported that, in an effort to maintain data privacy, they modify online activities in ways that harm personal relationships and force them to forego job opportunities,” write the MIC report authors Jan Fernback and Gwen Shaffer.
The best way to protect everyone: regulation
There’s only one way to effectively protect the privacy of everyone who goes online, regardless of the devices they’re using: comprehensive regulation to protect people’s privacy. While companies like Apple are to be lauded for prioritizing privacy protections, people around the world should not be reliant on tech giants building privacy safeguards for only a population that can afford it.
“The government should also proactively take up the cudgels on behalf of its citizens, most of whom find themselves beholden to the whims of big businesses,” said Jam Jacobs, a privacy advocate at the Foundation for Media Alternatives, in a response to Privacy International’s report. “Regulators cannot expect the private sector to get things right all on their own. That would be a sure recipe for failure and an abandonment of their clear mandate as public servants.”
Until that happens, there are some ways smartphone-only internet users can take steps to protect themselves, like using a paid VPN service if financially possible (as a rule of thumb, “free” VPNs should be avoided), downloading secure messaging apps like Signal to talk to friends instead of apps like Facebook Messenger or the built-in texting app, and installing privacy-focused browsers like Firefox Focus and Brave on your smartphone. Additionally, if your low-cost smartphone allows it, users should delete privacy-intrusive apps like Facebook Lite.
Still, while following these steps can make smartphone-only internet users—and all internet users—safer and enable them to retain slightly more privacy online, these methods are a Band-Aid at best. What is really required is a cure in the form of universal data privacy laws that ensure protections for everyone, regardless of socioeconomic status. As Fernback and Shaffer note, “Privacy is a public good and a fundamental value in a democratic society. In fact, it is a requirement of basic human dignity.”
And it is a dignity that billions of people across the world, including tens of millions of the most disadvantaged Americans, aren’t currently being afforded.
from Hacker News https://ift.tt/2pCPkOd