At a glance.
- Do anti-pornography apps amount to spyware?
- Update on the Optus data breach.
Do anti-pornography apps amount to spyware?
Wired takes an in-depth look at the rise of the use of anti-pornography apps to control users’ viewing of adult content on their phones and other devices. Platforms like Covenant Eyes are marketed as “accountability apps” and are capable of monitoring everything a user views and does on their device, detecting pornographic images and collecting internet histories, complete with screenshots and reports on web activity. The data is sent to an “accountability partner,” and such surveillance software has become popular among parents and churches wishing to keep tabs on their offspring or congregants.
Such surveillance certainly raises questions about privacy rights, and Google found that at least two of the top accountability apps, Covenant Eyes and Accountable2You, violate its policies. A Covenant Eyes spokesperson said the company is “concerned” about “people being monitored without proper consent,” and discourages the app’s use in relationships where there’s a power imbalance, noting that “accountability relationships are better off between people who already know each other and want the best for one another, such as close personal friends and family members.” Still, researchers found that such apps are taking advantage of Android’s accessibility permissions in order to collect far more data than is necessary to police porn viewing, monitoring virtually everything the user does on their phone. And the collection of such copious amounts of data raises questions about how the data is stored and protected and what could happen if it lands in the wrong hands. Spokesperson Danielle Cohen stated, “Google Play permits the use of the Accessibility API for a wide range of applications. However, only services that are designed to help people with disabilities access their device or otherwise overcome challenges stemming from their disabilities are eligible to declare that they are accessibility tools.” When informed about the apps’ exploitation of accessibility permissions, Google suspended Covenant Eyes and Accountable2You from the Google Play store, but both apps are still available on iOS, as it has not been confirmed that they are exploiting Apple’s permissions.
Update on the Optus data breach.
As we noted yesterday, Australian wireless carrier Optus suffered a cyberattack this week that resulted in the compromise of customer data. The Office of the Australian Information Commissioner has released an official statement on the breach, explaining, “The OAIC will engage with Optus to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme in accordance with our usual process.” Though Optus says it’s still unsure just how many individuals were affected, customers dating as far back as 2017 could have been impacted, the Guardian reports. CEO Kelly Bayer Rosmarin says the possibility that the incident impacted Optus’s entire subscriber base – approximately 9.8 million customers – would be the “worst case scenario.” She added, “We have reason to believe that the number is actually smaller than that. But we are working through reconstructing exactly what the attackers have received.” It is believed that the attackers exploited a vulnerability in an application programming interface (API), but Optus has not confirmed this, as an investigation headed by the Australian federal police and the Australian Cyber Security Centre is still ongoing.
As they are waiting until the investigation is completed before sending official notification letters to victims, Optus has relied on informing customers of the breach through the media. Some Optus customers have taken to social media to express their frustration at what they feel is a lack of clarity. But Kaspersky cyber-security researcher David Emm told BBC News, "It's good to see that Optus has said that it will contact those it believes are affected and that they will not be sending messages in emails or via SMS [text] messages - this makes it clear to customers that any such messages they receive will be fake.” It’s worth noting that on Twitter threat analyst Brett Callow stated that names and email addresses of 1.1 million Optus customers had been posted for sale online since September 17th, but Bayer Rosmarin did not confirm whether this was true or if it was connected to the breach. “We don’t yet know who these attackers are and what they want to do with this information, which is why we really need a team Australia response,” Bayer Rosmarin said. In the meantime, for customers who are concerned their data might have been exposed, ABC notes that Optus recommends looking to the government's Money Smart platform and the Identity Fraud page on the Office of Australian Information Commissioner website for guidance.