Note: This post has been adapted from a talk I gave back in May 2021, on a panel hosed byMelbourne Activist Legal Support for Law Week 2021, on the topic of Activism, Surveillance, and Digital Security Awareness. The full audio from the panel is online here.
The topic I was given was “What is one thing no one asks, but you wish they did?”
* * *
One question that no one ever asks me, but that I wish people did, is “What information about me can app developers see?”
When we were first starting to make Meetniq, our meeting minutes and task organising app for activists, we spent a lot of time and effort making it trustworthy, and getting ready to explain to people why they should trust us with such sensitive data. Would they think we were cops? Would they worry we were selling their data?
We wrote FAQs, we thought about how we could prove our credentials, and we asked as little as possible.
And no one ever asked us what we could see.
And no one ever read it. (And we can tell - more on that later.)
As time went on I learned more about hacking, security and online surveillance. In 2014 I watched a professional data miner demonstrate how he could probably change the outcome of a US congressional vote through social media manipulation. I got more worried about the safety of my own data and everyone else’s.
And no one asked us.
News came out that Equifax (accidentally) leaked millions of people’s data, Google devs were reading your email, Facebook and OK Cupid both admitted to running psychological experiments on unwitting users. Strava, a running app, accidentally exposed the location of secret military bases, and the list could go on.
And none of Meetniq’s users ever asked us what we collect, why, or what we do with it.
Fake twitter profiles and political messaging targeted right down to the individual swung an election in the US. Australia got data retention laws at the same time as Europe got extra privacy protections. Barbie dolls started recording children’s play. Businesses lost millions of users' personal data.
We’ve all seen stories of infiltrators in activist groups, and these days friends ask whether their phone is listening to them. But, seven years on, hardly anyone has ever asked us at Meetniq anything about our security, the safety of their data, or what we know about our users.
And it concerns me.
I don’t know if people are just numb to the amount of data they are asked for. Maybe they believe that it’s only computers, and not people, who can see it. Probably they’re just too busy to think about this sort of thing. Or the problem feels too big to tackle now.
I suspect it’s a mixture.
But I’d like you know what your data looks like from my end, and what it can look like for apps that aren’t as concerned with your privacy as Meetniq is.
It’s a step away from the forms of surveillance and security other panellists are talking about. It’s not sexy. But I think that understanding basic data collection, and outright corporate surveillance, is key to understanding what we need to do to bring back a semblance of privacy and defend space for dissent.
* * *
If a hypothetical user, Maria, logged in to our app Meetniq right now, this is what I’d be able to say about her:
“Maria logged in at 5.30pm, using Firefox on an iPad in Brunswick, Australia. She went into the account for her group, Engineers Against Borders. She set up a new task for Tom. He needs to buy bolt cutters before next Monday. Then she logged out.”
It’s not earth shattering, but I suspect it’s a lot more information than most people realise.
As an app owner, I know approximately where you are, and the type of device and browser you’re using, because this information is part of the basic way the Internet works. My server needs to know your IP address, so I know where to serve the page you asked for. Unless you use a VPN, your IP address tells me your approximate location. Your request includes your browser and operating system information because often bugs only affect certain browsers.
We track the time you take each action on our app, in our logs. We look at logs to understand bugs, to make sure we’re not being hacked, and sometimes to make sure you’re not in the middle of something before we shut things down for maintenance.
The detail of your meetings and tasks need to be in our app’s database, or it wouldn’t work. We don’t read these – we actively avoid seeing this sort of information. We have personal ethics, policies, laws, and a user agreement which governs this. But I want you to understand that we technically, physically could. There’s nothing technical that prevents us, and this is true for the majority of apps you use.
Some apps, such as Session, are encrypted in such a way that the developers should not be able to see your content, no matter what. However this is only feasible for simple tools, like text messaging or email. With something more complex, that needs to compute things for you, or display something for you to others, locking the app and the developers out of your information just isn’t doable.
Apps that are more intrusive, but still not actively not exploiting you, are likely to have a lot more information. If an app is using tools to monitor how easy their site is to use, for example, they might also know what Maria looked at, what she typed but deleted, what she hovered her cursor over. They might have access to her location data, her personal contact information, or medical information, depending on the type of app.
Beyond that, we get into surveillance capitalism territory, with things like:
- Surveillance cameras and phone tagging.
- Rewards schemes and credit cards that track your spending.
- Location data, photo access, microphone use and contact list monitoring.
- Mood interpretation and relationship tracking.
- Age, gender, home address, number of children, interests.
- Search history monitoring.
- Tracking you across the web with pixels and ads and cookies.
The sort of things these tech giants and data brokers might know about Maria is more like this:
“Maria is 36, lives with a friend in Fawkner and works as a lawyer in Brunswick. She has a large extended family. She’s bisexual, single, left wing, probably votes Greens, likes crunchy peanut butter, and is thinking about having a baby using a donor. She spent 7 minutes reading a privacy article after clicking a link posted on Facebook by her cousin Gina.”
* * *
It’s all very creepy, but what does it have to do with activism?
Activists need to understand what developers and app owners can see, so they can make good decisions about what data they expose about themselves, their plans, and their communities.
The data that exists isn’t only being used by advertisers. It is collated by data brokers, and available for purchase by pretty much anyone. It is readily found by private spies.
We know that corporate targets of activism, such as mining companies, do hire private spies to learn about activists targeting them. Companies like Amazon have reportedly used social media to monitor labour organising.
When we have so much data exposed we are open to attackers rendering our actions ineffective, infiltrating our organisations, or leading us to legal trouble.
Like most things, this wont be solved through individual action. We need better, clearer, toothier regulation to persuade companies to collect, collate, and share data appropriately. And we need a wave of consumer interest in making sure apps and software are collecting the least they can.
But there are things you can do, especially if you are working in direct action or have highly sophisticated adversaries.
Please think about the tools you use for your activism and whether the trade-off of privacy is worth it - check out Privacy Tools for ideas. If you’re discussing sensitive plans, do it away from phones, laptops and other microphones. Listen to the experts and take your mundane security seriously. Get a password manager and use it. Use 2 factor authentication where you can.
Check out the EFF’s surveillance self defence website for a great guide.
And please, please, ask us app developers what we’re doing with your data!
* * *
I’m not a security expert, but if you want the absolute basics, or just want to hear horror stories about poor data practices, get in touch. I don’t get to nerd about this stuff nearly as much as I’d like.