You are your own privacy threat vector

In my last post I talked about securing your network for $35. With simple tools like Pi-Hole, it’s very easy to see what’s trying to leave your network. Just after installing the Pi-Hole I caught communication to a C2 server from my son’s computer. It had been infected with a java-based botnet agent thanks to a Minecraft modpack that included a little extra something something.

Something else that ends up being very easy to see is just how much privacy you are giving away to companies that want to hoover up your data. Have a look at this:

Among the top 5 blocked DNS domains on my home network, three of them have to do with Snapchat. That’d be my 16-year-old daughter’s handiwork. I imagine half of these queries involved duck lips of some manner.

You’ll also see other domains having to do with app analytics. Some seem innocuous like Crashytics but if you do a bit of poking around you’ll see that Crashlytics is owned by <drumroll please>…. Google.

Let’s dive deeper:

  • app-analytics.snapchat.com -> Snapchat domain that collects all kinds of app usage information
  • sc-analytics.appspot.com -> Snapchat’s analytics engine sending information to a Google service
  • graph.instagram.com -> Instagram’s API service
  • e.crashlytics.com -> Unsure what the service is (‘e’) but Crashlytics is owned by Google
  • usc.adserver.snapads.com -> Snapchat ad service
  • reports.crashlytics.com -> Google
  • news.iadsdk.apple.com -> ads served into Apple’s News app
  • googleapis.l.google.com -> Google
  • graph.facebook.com -> Facebook’s API service
  • s.youtube.com -> ad service for YouTube.

So, in the top 10 we have only 4 companies represented:

  • Snapchat
  • Facebook
  • Google
  • Apple

My goal here isn’t to say you shouldn’t use apps and services from these companies. My goal here is to open your eyes just a crack that with few exceptions, you really are the productFree services are great and all, but understand that you’re heavily trading information about you and your habits in order to use things like Snapchat, Facebook, Google, etc. These companies construct portfolios dossiers about their customers targets in order to sell it to advertisers. Google is an advertising company first and foremost. Consider whether this is a fair trade.

If the government was this intrusive into our lives, we’d probably all be yelling, “Stasi!!” Yet we give this information willingly to companies that we do not control, have no idea what happens to that information (lol ‘privacy policy.’), and given that these companies have ever increasing portfolios of services – particularly for app engine things like analytics and crash reporting – we cannot control where our data ends up.

Where does this end?