Hacking Humans 3.17.22
Ep 188 | 3.17.22

Data privacy: is it black and white when it comes to your kids?

Transcript

David Ruiz: Eighty-four percent of the parents that we asked, they did admit to some form of electronic monitoring of their children. And we think that number is extremely high.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, Carol Theriault returns. She speaks with David Ruiz from Malwarebytes. They're talking about parents spying on their kids. 

Dave Bittner: All right. Joe, before we get to our stories, we have quite a bit of follow-up this week. 

Joe Carrigan: Indeed, we do. 

Dave Bittner: So let's jump in here. You want to take this first one? 

Joe Carrigan: I'll take the first one. It comes from listener named Casey, who says, I just wanted to say that your story about the coming "Minority Report" situation in public schools was interesting in a scary way. He says he also loves the podcast. Keep them coming. 

Dave Bittner: Yeah. No, thank you, Casey for writing in. We got one from Jonathan. Jonathan says at the end of the first half of Episode 186, you mentioned a programmer job scam where the person just flips jobs every few weeks and never really does anything. 

Joe Carrigan: Yep. 

Dave Bittner: The twist I've seen is where the contractor gets the job, then farms out the actual work to a Chinese or Indian outsourcer at a fraction of their salary and claims it as their own. Having two or three of these scams going on together at a day rate of about 500 pounds equals about $2,000 daily. Being a project manager with three projects is hard, but not $2,000 per day hard. 

Joe Carrigan: Right. Yeah. 

Dave Bittner: Yeah. That's certainly another way to go at it. 

Joe Carrigan: Gives me an idea, Dave. 

Dave Bittner: (Laughter) Why, Joe is on a lot of podcasts lately. 

Joe Carrigan: You know, I don't know. Is this really a scam? I mean, you're providing the work. You're doing the work for the agreed-upon price, right? 

Dave Bittner: If the people are happy with the work, then I suppose there's no real problem with it. 

Joe Carrigan: Yeah. I don't know that this - I mean, because they're paying you for the work, but - and you're delivering the work. 

Dave Bittner: Yeah. 

Joe Carrigan: What do they care about how it's done? 

Dave Bittner: Well, I mean, I suppose it's fraudulent in that if you are representing it as being your own work, then you're not being on the up and up. But ultimately - if they - because if they wanted to hire a contractor, they would have hired a contractor. 

Joe Carrigan: Right. I mean, the only thing that concerns me about this is if they're doing it with, you know, if they're doing it for a company that is very concerned about intellectual property. I guess, you know, there's your concern is that you're putting the intellectual property at risk. 

Dave Bittner: Right. You're offshoring, basically. 

Joe Carrigan: Right. Yeah. 

Dave Bittner: Absolutely. Yeah. All right. Well, good point from Jonathan. Our final bit of follow-up this week. Listener writes in and says, hey, I was listening to a recent episode of "Hacking Humans" regarding the problem of redirects in web browsing. A site I found helpful is called Redirective Detectrive. 

Joe Carrigan: (Laughter) Rolls right off the tongue, doesn't it? 

Dave Bittner: Redirective Detective. Yeah. Given the episode's subject matter, I won't provide a link, but it should be the top hit in any search engine. This site allows you to drop in a suspicious URL. It'll check for redirects. Like any tool, it's not foolproof, but something people can use to check for suspect sites. Love the show. Keep up the great work. That's another good one. 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. You know, I love that there are all these little tools that you can drop suspicious URLs in. You should - good to have those bookmarks, so if there is something, you know, you think might be not on the up and up, you can drop it in there. And, you know, what do they call it? Pre-detonate it. 

Joe Carrigan: Pre-detonate it. Right. VirusTotal also has a URL feature that you can use. 

Dave Bittner: Yeah. 

Joe Carrigan: So if you got a suspicious URL, you can just copy and paste it right into that, and Virustotal will detonate it for you and you can see how it goes. But this Redirector Detector - it kind of does roll off the tongue. Once you get used to saying it, it's pretty fun to say too, by the way - Redirector Detector. 

Dave Bittner: It's Redirective Detective. 

Joe Carrigan: Oh, Redirective Detective. 

Dave Bittner: Yeah. 

Joe Carrigan: OK. Now that's different. I'm saying things wrong. Redirective Detective. 

Dave Bittner: (Laughter) Let's move on to some stories, Joe. 

Joe Carrigan: All right. Yeah. Let's... 

Dave Bittner: Why don't you kick things off for us? 

Joe Carrigan: Let's redirect this conversation. 

Dave Bittner: There you go. 

Joe Carrigan: So my story comes from Proofpoint, Dave. And this is - this came out earlier this month. And they are rounding up last year's strangest social engineering tactics. And they have a top-five list. 

Dave Bittner: OK. 

Joe Carrigan: I love lists, right? No. 5 is soccer scouting. Last year, researchers saw multiple social engineering campaigns using soccer lures to deliver malware to clubs in France, Italy and U.K. Hmm. And, you know, I guess soccer's really big over there. 

Dave Bittner: You know, they call it football, Joe. 

Joe Carrigan: They do. They call it football. That's right. So the way the threat actor was working in this case was he was posing as a sports agent representing young players from Africa and South America. And he was sending people what looked like videos, but they were malicious, of course. 

Dave Bittner: OK. 

Joe Carrigan: All right. No. 4, spoofing scholars. 

Dave Bittner: Spoofing scholars. OK. 

Joe Carrigan: Right. There's an Iranian-aligned actor targeting European academics in foreign policy or in policy experts, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Now, I'll tell you something, Dave. Academics get targeted a lot because there - they have research that they have not been releasing - that has not been released yet, that might be pre-released. And if you can get that research beforehand, you might have some kind of competitive edge. 

Dave Bittner: Right. OK. Yeah. 

Joe Carrigan: Right? So this threat group, which is called TA453 - do you know which kitten thing that is? 

Dave Bittner: I don't know which kitten that is now. 

Joe Carrigan: (Laughter). 

Dave Bittner: It's Pouncing Kitten or... 

Joe Carrigan: Right. It's all cats for Iran. 

Dave Bittner: Yep. 

Joe Carrigan: What are the American ones? Are they eagles? 

Dave Bittner: We - well, they don't name them. But if they did, they would definitely be eagles. Yeah. Yeah. 

Joe Carrigan: Right. They were posing as senior research fellows at universities, using lookalike email addresses to spoof real academics. And they were just trying to get into people's accounts using those things. So pretending to be something you aren't. No. 3 is fake but functional. They have some high-profile social engineering campaigns involving finely crafted but non-functioning lures. The most famous one is - we talked about this one on the show. It was BravoMovies. It was just a - it was a fake streaming site, completely fake streaming site, with all kinds of content listed on it. But all it did was install malicious software - install it on your computer. 

Dave Bittner: Oh, I see. 

Joe Carrigan: But these attackers are moving beyond that, and they're actually writing stuff that actually works. They send you a Microsoft Excel file containing a freight calculator, but of course you got to enable macros, Dave. 

Dave Bittner: I see. 

Joe Carrigan: Once you do that, Bob's your uncle. 

Dave Bittner: Right. Right. So the calculator works, but you get a whole... 

Joe Carrigan: Right. 

Dave Bittner: ...Bunch of extra stuff you don't want. 

Joe Carrigan: Yes, absolutely. You get - your computer becomes pwned, as the kids say. 

Dave Bittner: Right. 

Joe Carrigan: Good news, bad news. And this is kind of - this is one of those things that really is just an unconscionable thing that these malicious actors do. This one is they're targeting people within the same company, and they're sending some of them upcoming termination letters that say you've been terminated. Here's how you get all your stuff in order. And they're sending other people, hey, you're getting a bonus. And they're sending these competing emails into the same company. Can you imagine? You know, you and I are sitting here working one day. 

Dave Bittner: Right. 

Joe Carrigan: And you get an email that says, you're fired. And I get a - hey, Dave, look, I'm getting a bonus. 

(LAUGHTER) 

Dave Bittner: OK. 

Joe Carrigan: Right? Peter sent me a big bonus check. 

Dave Bittner: Yeah. 

Joe Carrigan: Hey, they're firing me. 

Dave Bittner: Right. 

Joe Carrigan: You and I would be dubious of that, right? 

Dave Bittner: Yeah. Well, but so... 

Joe Carrigan: But hopefully because we're steeped in this. 

Dave Bittner: (Laughter). 

Joe Carrigan: But imagine the regular employee who doesn't live and breathe this stuff, right? What does he feel or she feel? The termination one is terrible, right? And there's no good outcome here. 

Dave Bittner: Well, and I wonder, does the - does it amp up the emotional response because the people who are feeling bad feel even worse, because the people across the cubicle from them are, you know, dancing a jig because they got a bonus? 

Joe Carrigan: Right. Yeah, I don't know. But I'll tell you, the termination one - I can absolutely see that being one that might work on me. You're being fired. Here's your explanation in this letter. What? I'm being fired. How dare they. Let me click on it. Oh. 

Dave Bittner: Yeah. (Laughter). 

Joe Carrigan: Now they - I see. 

Dave Bittner: Right. Right. 

Joe Carrigan: And here's my favorite one, Dave. This one comes from Canada, north of the border, if you will - the Great White North. And it is a phishing email that combines the lures of an inheritance with a lottery winning. Now, we've always said, if you didn't enter a lottery, then you didn't win the lottery. 

Dave Bittner: Right. 

Joe Carrigan: You didn't buy a ticket, you didn't win a lottery. 

Dave Bittner: Yeah. 

Joe Carrigan: But there's - the lure of a inheritance is different, right? Because who knows? Maybe you do have some rich uncle that you never heard of, right? 

Dave Bittner: Yeah. 

Joe Carrigan: And that's much more feasible. 

Dave Bittner: It can happen. 

Joe Carrigan: Right? But they're saying, hey, you've gotten both of these, and they're sitting in one bank account, and the Bank of Canada is going after it right now. So if you buy this ATM card, that'll show that you're interested in the funds and they'll stop seizing it. 

Dave Bittner: Oh, I see. 

Joe Carrigan: So send us the $100 ATM card, and we'll secure your funds. Now, if you buy this $100 ATM card, that's just the beginning of the harassment, right? They go, oh, we got one on the line, and they will continue to try to drain your account of all the money that you have. 

Dave Bittner: Wow. You know, this is a bit of an aside here, but it reminds me of one time my wife got a nasty-gram in the mail about a speeding ticket she got in a town in, like, South Carolina that she had never been to. 

Joe Carrigan: Right. 

Dave Bittner: And they said, you know, well, look, you can handle this - you can do this the easy way or the hard way. 

Joe Carrigan: Right. 

Dave Bittner: You can just, you know, pay for this. She's like, OK. You know, because if you don't pay for it, you got to go down there and appear in court... 

Joe Carrigan: Right. 

Dave Bittner: ...Which of course, is never going to happen. 

Joe Carrigan: Yes. 

Dave Bittner: So she says, all right, let me just pay for this and get on with my life. And no, they do not take credit cards. They do not take - you know, so someone had - what you had to do was call the office across the street that someone had set up that would take your credit card, and then they would hand-deliver a check to the courthouse to pay off your fine for a small, small fee. So I'm imagining, you know, Boss Hogg... 

Joe Carrigan: Right. 

(LAUGHTER) 

Dave Bittner: ...Right? Who has... 

Joe Carrigan: Old J.D. and... 

Dave Bittner: Who's set up, you know, with his cousin... 

Joe Carrigan: (Imitating Boss Hogg) I'm going to get them Bittner boys. 

Dave Bittner: (Laughter) Right. He's set up this scam just to make money... 

Joe Carrigan: Right. 

Dave Bittner: ...And, you know, this cash scam. 

Joe Carrigan: Right. 

Dave Bittner: So yeah. 

Joe Carrigan: Now, was the ticket legit? 

Dave Bittner: No, the ticket wasn't legit. 

Joe Carrigan: OK. 

Dave Bittner: My wife had never been there. And of course, you know, you have righteous indignation. You're like, I'm not going to - but then, you know, reality sets in, and you're like, OK, well, I'm not going to go spend - I'm not going to travel to South Carolina from Maryland... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, stand and - yeah. So you just - you pays your money. You write it off as a cost of doing business on this planet on which we live, and you get on with your life. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. Very frustrating, though. All right. Well, good stories. We will share that article in the show notes, of course. 

Joe Carrigan: Yep. 

Dave Bittner: My story this week comes from one of our listeners... 

Joe Carrigan: Ooh. 

Dave Bittner: ...Who wrote in. He said, you can call me Ricky. He said, I want to share this story with you as a win, sort of, preventing a scam, but also to raise the question of best practices at retail chains. He says I work for a large tech retail chain in a customer-facing role within the store, but I've also done work with finding vulnerabilities and such, hence my awareness of these scams. Anyway, a customer came into the store asking to purchase a 200-pound Steam gift card. So sounds like Ricky is European. 

Joe Carrigan: OK. I was going to say... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...A 200-pound what? 

Dave Bittner: No. 

Joe Carrigan: What in a tech store weighs 200 pounds? 

Dave Bittner: That was not the weight of it. That was... 

Joe Carrigan: It was the cost. 

Dave Bittner: ...British pounds, yes. 

Joe Carrigan: Right, 200 British pounds for Steam gift cards... 

Dave Bittner: Right. 

Joe Carrigan: ...Which makes sense. 

Dave Bittner: Yes. And he says, now, I have some procedures. This is the quick version of how it went. Me - why don't we do this together, Joe? 

Joe Carrigan: OK. 

Dave Bittner: So I will be - I will play the part of Ricky, and you can be the customer, all right? 

Joe Carrigan: OK. 

Dave Bittner: So I will say, Ricky said, what are you using this for? 

Joe Carrigan: And the customer says, I'm giving it to my nephew. 

Dave Bittner: Oh, so it's a gift for his birthday? 

Joe Carrigan: No, he's abroad at the moment and needs it to get cash because his flight has been cancelled. 

Dave Bittner: Can we have a chat over here for a second? 

Joe Carrigan: I just want to buy the gift card. 

Dave Bittner: I want to make sure you're buying the right gift card, sir. 

Joe Carrigan: Yeah, he said to get the Steam one. 

Dave Bittner: You know, that can't be used to get cash out of a cash machine. And Ricky says the customer is a little frustrated now, but he's been doing customer support for years, so he kept him calm enough. 

Joe Carrigan: Well, that's what he said, so... 

Dave Bittner: Have you spoken to him by phone or just messages? 

Joe Carrigan: Messages. 

Dave Bittner: Have you sent him gift cards before? 

Joe Carrigan: Yeah, a few. 

Dave Bittner: He says he's clearly aggravated, but Ricky keeps his interest. How much money does a flight cost? 

Joe Carrigan: Uh. 

Dave Bittner: How much money have you already sent? 

Joe Carrigan: Twenty-eight hundred pounds. Can you just sell me the damn gift card? 

Dave Bittner: If you want them, absolutely, sir, but I'm worried about this. Can you phone him and actually speak to him please? 

Joe Carrigan: Just sell the gift card. My nephew wouldn't steal from me. 

Dave Bittner: I know he wouldn't, sir. I'm worried that it isn't your nephew. That's exactly my point. And he says the customer buys the gift card anyway. 

Joe Carrigan: OK. 

Dave Bittner: Now, he goes on, and he says a few minutes later, the customer came back. I think he was annoyed at himself, as he didn't want to believe that he'd lost his money. He asked to talk to me, and I explained how the scams work. He clearly began to realize. I refunded his purchase that he just made. 

Joe Carrigan: Good. 

Dave Bittner: He says this isn't the perfect template for a conversation, but ultimately I asked questions which raised some red flags to me as being unusual. 

Joe Carrigan: No, this is the perfect template, Ricky. You did a great job here, and it was successful. 

Dave Bittner: I don't want to say that I'm so amazing, blah, blah, blah, but I do think... 

Joe Carrigan: I think you're amazing. 

Dave Bittner: But I do think that there should be some kind of policy for asking some things like this. 

Joe Carrigan: I agree. 

Dave Bittner: Yeah. 

Joe Carrigan: And a lot of stores do that. 

Dave Bittner: More and more, yeah. 

Joe Carrigan: Yeah, we've talked about CVS. 

Dave Bittner: Yeah. 

Joe Carrigan: When they - when you buy a gift card, they say, who are you buying this for? What are you giving it to them for? Why do they need it? They start, you know, giving you the third degree. They start doing what Ricky's doing here. 

Dave Bittner: Yeah, the signage up... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Where the gift cards are that are warnings. 

Joe Carrigan: Right. I went to Lowe's and there was - there were signs up at the cash register saying gift card scams, here's how they work. This is great. 

Dave Bittner: Yeah. 

Joe Carrigan: Ricky, you know, you saw something going on. You said something to it. The guy disregarded it, but what you did was plant a seed. And as he walked out of the store, that seed started growing. And he started going, this guy might be right. I might be getting scammed. And he - and it worked, Ricky. This is great. Good job. 

Dave Bittner: Yeah. The other thing I'll add is that I think what was really well-executed by Ricky was the way that he did it... 

Joe Carrigan: Right. 

Dave Bittner: ...That he was not confrontational. He wasn't accusatory. 

Joe Carrigan: Yep. 

Dave Bittner: He just sort of - as you said, he planted that seed... 

Joe Carrigan: Yep. 

Dave Bittner: ...Let the gentleman buy the card, sent him on his way and later found out that that seed took root. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. Yeah. All right. Well, Ricky, thank you for sending that in. Again, that is my story for this week. I think it's a good one. Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from a listener named Michael, and he writes, this email really looked good. The embedded links do not link to Microsoft. They originate from France. The YouTube link doesn't even go to YouTube. And actually, I looked at the other links, including, like, the Privacy Policy and the - they all go to the same URL. 

Dave Bittner: Oh. 

Joe Carrigan: But the verbiage - he says, the verbiage, you cannot use your own email for this product, raised the hair on the back of my neck. So there's a number of red flags in this email, but it is a well-crafted email - visually stimulating, visually looks good. Not stimulating, but it looks good. 

Dave Bittner: So it says Office 365 Business Premium Account. Get exclusive features and storage, Office 365 app, Microsoft corporate partner, license for schools, home and commercial use compatible with all devices. And it lists a whole bunch of other features of this. 

Joe Carrigan: Right. 

Dave Bittner: And then it says, important information - this product is an account, not a license key. This is a new account. The account is brand new and exclusive to you. You will receive a unique email and password login details, which you can use to log in to portal.office.com and enjoy Office 365. The first time you log in, you'll be prompted to set a new password from the default generated one. After set a new password, please save it and remember it. This cannot be used to renew an existing subscription. You cannot use your own email for this product. You can only change the password of this account, not the email address and name of this account. Video tutorial of how to download and activate Office 365 by signing in with a Microsoft account on Mac or PC. And then there's a link to youtu.be (laughter). 

Joe Carrigan: Right, which is YouTube's link-shortening service. 

Dave Bittner: Right. Right. 

Joe Carrigan: But that link does not go to YouTube. 

Dave Bittner: Oh. 

Joe Carrigan: It goes to the same website as everything else goes to. 

Dave Bittner: Yeah. There's a big red button that says Get Office 365 Business Premium account. 

Joe Carrigan: Right. 

Dave Bittner: So what - when you read through this, Joe... 

Joe Carrigan: Right. 

Dave Bittner: ...What are the things that caught your eye? 

Joe Carrigan: Well, one of the things that catches my eye is kind of what Michael says. It says you can't change the password or you can't change the name or the email for this product... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Which is weird. 

Dave Bittner: That is weird. 

Joe Carrigan: It's not how these things work. Another thing that catches my eye is it still says Office 365. The product used to be called Office 365, but they since changed it to Microsoft 365. So this - but if you don't know that, you're not going to - and that's a branding decision that not everybody pays attention to. 

Dave Bittner: Yeah. 

Joe Carrigan: And even I am not 100% certain that that's correct all the time, you know? I mean... 

Dave Bittner: Sure. 

Joe Carrigan: I don't - I'm not such a Microsoft fanboy that I'm like, oh, what are they calling it now, you know? 

Dave Bittner: I can never remember if it's Office 360 or Office 365. 

Joe Carrigan: Right. 

Dave Bittner: I'm like, is it, you know, 360 degrees of a circle, or is it 365 days of a year? 

Joe Carrigan: Is it 365 days a year? Yeah. 

Dave Bittner: I can't - I just can't get it straight (laughter). 

Joe Carrigan: Yeah, it's - bad decision. 

Dave Bittner: Yeah. 

Joe Carrigan: And, you know, are they going to come out with Windows 365, or are they just going to go from Windows 11 to Windows 365? 

Dave Bittner: Who knows? (Laughter). 

Joe Carrigan: Look at that. Look how far ahead we've gone. 

Dave Bittner: Right, exactly. 

Joe Carrigan: These marketing guys wreck everything (laughter). 

Dave Bittner: You know, it strikes me, too, that this is kind of along the lines - you know, there are these scammy, spammy emails that kind of wink and nod at you that they're offering you pirated software. 

Joe Carrigan: Yeah. 

Dave Bittner: You know, get Adobe Photoshop for 29.99. Not a subscription, yours forever - you know, that sort of thing. 

Joe Carrigan: Right. 

Dave Bittner: And this is along those lines. So I would say, in addition to the things you pointed out, there's also that, you know, if it's too good to be true... 

Joe Carrigan: Yeah. You're probably buying hacked software. And if you're buying hacked software, there is a probably 90% chance that there's something malicious in it. 

Dave Bittner: Yeah, yeah. These days, for sure. Absolutely. All right. Well, our thanks to Michael for sending that in. We do appreciate it. We would love to hear from you. If you have something you'd like us to consider for our Catch of the Day or perhaps a story, you can send it to us at hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, it's always great when Carole Theriault joins the show. 

Joe Carrigan: It is. 

Dave Bittner: And she is back this week. She is speaking with David Ruiz from Malwarebytes, and they are talking about parents spying on their kids. Here's Carole Theriault. 

Carole Theriault: Data privacy - we all know it's a big deal, but we rarely hear about one aspect of this privacy issue - you know, the one where parents actually digitally track their kids' activities online. Here's where I bring in David Ruiz from Malwarebytes. He's an online privacy advocate. Thanks for coming on the show, David. 

David Ruiz: It's great to be here. 

Carole Theriault: So you guys recently dug into this area asking, like, how parents track their kids, why they track the kids or how. And I'd love just to hear about what you guys found out. 

David Ruiz: So we found just - right? - the top line - the headline here is that 84% of our respondents - so 84% of the parents that we asked, they did admit to some form of electronic monitoring of their children. And we think that number is extremely high - right? - because it is. And it's something that you also got to at the very beginning there - right? - which is that we talk a lot about data privacy as a concept. We talk a lot about data privacy as sort of black and white, as sort of this absolute kind of concept where if you are invading someone's privacy, if you're monitoring someone's activity without their knowledge, that's a wholesale bad, how could you do that, you know, reprehensible behavior. But we are ignoring that there are parents every single day who are faced with this question of, you know, should I monitor what my kid is doing? And they don't really see it - from what we learned, they don't see it as this conceptual thing. They don't see it as this big, you know, contrast between two opposing sides. They see it, as we learned, as, can I keep my kids safe? 

Carole Theriault: Yeah. 

David Ruiz: And that's why we see something like 84%, you know, of parents saying that they do it. Seventy percent said they used at least one form of monitoring that they had told their kid about, right? So their kid is informed. 

Carole Theriault: Oh, so, like - so they're saying, like, I'm watching your activity on Facebook, for example, or something like that. Right, right. 

David Ruiz: Right, exactly. They say, hey, we know you're going to start using this platform. We're going to look at it. 

Carole Theriault: Right. 

David Ruiz: Those are the terms of the deal, right? On the flip side, we had 36% of folks saying that they used at least one form of monitoring without telling their kids. So that's... 

Carole Theriault: Whoa. 

(LAUGHTER) 

David Ruiz: Yeah. 

Carole Theriault: So - OK, so do you think - OK, and we're just spitballing here, but it's a bit like kind of going into your kid's bedroom - isn't it? - without their permission. 

David Ruiz: It's a little bit like that. And - right? - there are some things that are different, right? There are some things that are not entirely the same because the types of monitoring we do are different. So something like tracking GPS locations, which was the most popular thing that parents did, you know, when looking at their kids, when monitoring their kids - that was the most popular thing. We don't have a corollary to that, like, in the nondigital world, right? You can't go into your bedroom and - your kid's bedroom and, like, assume that your child said, today, I went here. Then I went there. 

Carole Theriault: I wonder if parents actually buy phones for their kids before kids actually beg for them in order to have that GPS location tracking on them. 

David Ruiz: Basically, every modern phone that you can get, you know, at your store, GPS tracking is extraordinarily easy, so... 

Carole Theriault: Most of the apps you have on your phone are trying to do it, so... 

(LAUGHTER) 

David Ruiz: Right, right. So you don't even have to try that hard. They can do it. And so that might speak to also why it's the most popular, right? It's the easiest one to do. 

Carole Theriault: Now, what else do they track? Do they track things like gaming? 

David Ruiz: Yeah, yeah. So parents are tracking gaming. Parents are tracking social media use, obviously. Parents... 

Carole Theriault: Right. 

David Ruiz: The least popular thing they're doing is tracking text messages - so messaging apps. There is a couple of reasons that could be. One of them that we think is also that it is the hardest thing to do, you know, aside from saying, give me your phone; I'm looking at your text messages. 

Carole Theriault: GPS makes perfect sense to me that that's the No. 1 thing parents would want to do. That doesn't surprise me, and it kind of makes sense. You want to know where your kids are at, and in fact, you're liable (laughter) - right? - if they get into trouble. 

David Ruiz: (Laughter) Right. Parents are monitoring their kids' web browsing - right? - which I think also intuitively for a lot of parents makes sense. It's like, as soon as your kid is able to use a web browser, as soon as they're able to type in a URL, I can see a lot of parents thinking, well, then you're old enough to, you know, have that URL monitored by me. You know, I need to know what you're doing. I need to know that you're not going to, you know, websites that are, one, inappropriate at a certain age level but, two, also just unsafe. I mean, like, the internet is not a safe place (laughter). It's not a safe place for adults. I can understand parents saying, wow, you know, it took me 30 years to understand what was a sketchy website. A child doesn't have that understanding. 

Carole Theriault: Yeah. And especially during the pandemic, I imagine that computer usage went through the roof. You know, both parents are working, kids are at home... 

David Ruiz: Yeah. 

Carole Theriault: ...Homeschooling wasn't always all that. There'd be behaviors that when things start getting back to normal that you may want to curb, and that might be easier said than done. 

David Ruiz: The one thing that really surprised me - and maybe it's just I don't understand how children operate in terms of, like, how much technology they actually interact with - parents saying that they monitor their children's email. More than 30% of parents said that. I - look; I realize I was born in a different year. I didn't have an email address, I think, till I went to college. And that was a surprise to me. It's just that email was being tracked. I was like, who - what do they have email for? (Laughter). 

Carole Theriault: Yeah. I don't know a lot of kids that have emails. Actually, no, they have emails to authenticate accounts. 

David Ruiz: Oh, that - OK, OK. 

Carole Theriault: Right? So that may be where it is. 

David Ruiz: That makes perfect sense. 

Carole Theriault: So you can see what accounts they're signing up to, maybe. Yeah. What about ages? What about ages? Does this start quite young? Do people kind of say, I started tracking our kids at this age? 

David Ruiz: Just really broadly here, we saw that some parents are starting to monitor all types of activities as - honestly, as early as 3 to 5. And so... 

Carole Theriault: Whoa. 

David Ruiz: Yeah, but... 

Carole Theriault: What (laughter) - it's like, aren't they playing with blocks at that point? Is it, like, a fake phone? 

David Ruiz: Like, I don't understand how you track your 3-year-old's location... 

Carole Theriault: No. 

David Ruiz: ...And expect to get anything that you don't already have. Maybe - right? - a 3-year-old is going to preschool and they - and you're worried about, like, oh, OK, is the preschool actually doing what they say they're doing? Like, take them for their walk - I don't know. It's hard for me to even fathom, right? Because they live with you (laughter). 

Carole Theriault: And they're 3, so... 

David Ruiz: And they're 3. They're not getting in the car (laughter). 

Carole Theriault: ...That's - yeah, normally they're walking by 3. Yeah. Yeah, they're not driving, but they're certainly walking pretty fast, right? Fascinating. 

David Ruiz: Basically, as soon as a child is able to interact with a new type of activity - a new platform - that is when parents start monitoring their kids. So web browsing became really popular between the ages of, like, 9 and 11, which is, yeah, kind of when you can start entering, again, like I said, your own URLs. Social media was quite popular at 12 to 14. Actually, it was the most popular activity to be tracked between the ages of 12 and 14. And that is, again, like, when social media, you know, between those ages, social media is - that's when it starts becoming that kid's life, you know? 

Carole Theriault: Yeah. 

David Ruiz: They live online. So we saw that monitoring was, like, a response to new things happening in a kid's life. 

Carole Theriault: Yes, it's kind of like parents are offering their kids training wheels, you know, as they kind of start exploring this new digital world. 

David Ruiz: Yeah. Yeah. 

Carole Theriault: I just wish that the 36% of kids that don't know their parents have them there did (laughter). 

David Ruiz: Yes, I 100% agree. You know, as someone that works on online privacy, like, every single day, as someone that has seen privacy invaded in, you know, particularly nefarious ways - you know, we're talking about other types of things, non-child monitoring - the least I think you could do is you could transparently tell someone, hey, we're doing this. Obviously, the relationship between a parent and a child is different than something, like, you know, two spouses where we - that's where we really start hearing about consent. But you can also care about consent even when your kid is a kid. You know, like, it's a transparent and a - I think, a quite respectful thing to do. 

Carole Theriault: Online privacy advocate David Ruiz. Thank you so much for talking to me about this and sharing your findings. Any kids out there listening to this, your parents are probably on to you, even if you don't know it. So you have been warned. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: David opens this interview with the concept of violating privacy that is bad, right? 

Dave Bittner: Yeah. 

Joe Carrigan: We would all think that's bad. But when parents do it, it's fine with monitoring their children. 

Dave Bittner: Yeah. 

Joe Carrigan: I don't see the issue there. I don't see a dichotomy. I don't see that - you know, I don't - I agree with the fact that it's bad when corporations and governments monitor people, but I don't think it's bad when adults monitor their children, OK? I think as a parent, that is your primary responsibility. And my motivation of doing that is making sure, No. 1, my child is safe online because there's all kinds of horrible things that go on online targeting children. 

Dave Bittner: Right. 

Joe Carrigan: No. 2, I want to make sure they're conducting themselves in a way that doesn't come back to damage them later, right? Because we've seen people make tweets that have come back or make statements that have come back and just destroyed careers. 

Dave Bittner: Sure. 

Joe Carrigan: Right? And there has been no restraint on that. People are willing to go back to when you were a high school kid. Dave, I am glad Twitter was not around when I was in high school. 

Dave Bittner: I know. Me too (laughter). 

Joe Carrigan: You know? 

Dave Bittner: Thank goodness. 

Joe Carrigan: Because when I was under the age 18, I did and said some pretty dumb things. 

Dave Bittner: Yeah. 

Joe Carrigan: And I'm glad that those things were very ephemeral and temporal. 

Dave Bittner: Right. 

Joe Carrigan: You know, if my kid were to do that now, I mean, the - if any kid does that now, it's got a lasting permanence to it. I mean, there is some kind of entry that takes place over time. But, I mean, if somebody wants to maliciously save that information, they can do it. 

Dave Bittner: Sure. 

Joe Carrigan: Right? It just puts - makes you vulnerable. But at the same point in time, no, I don't want - I'm not happy with the way corporations track our stuff or governments track our stuff. And even if the government says, well, we're doing it for the same reason you do it for your kids, that's where I start having an issue. I don't want you providing me with that kind of safety. 

Dave Bittner: Right, right. 

Joe Carrigan: Right? You know, I tracked my kids with GPS. In fact, my son and I still share locations mutually, and my daughter now has my location, but she doesn't share it with me. That's fine 'cause she's an adult, right? 

Dave Bittner: Yeah. 

Joe Carrigan: She's not really my responsibility anymore, but I still share my location with her because, you know, Dave, I'm getting up there. 

(LAUGHTER) 

Dave Bittner: Oh, Joe, I hadn't noticed. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: You can't tell from the gray hair. 

Dave Bittner: No, no. 

Joe Carrigan: I ordered a beer at a restaurant last night, and the woman said, are you (laughter) over 21? I said, my kids are over 21. 

(LAUGHTER) 

Dave Bittner: There you go. 

Joe Carrigan: So, yeah. I mean, it's - I don't have a problem with sharing location with my kids or my kids have - seeing my kids' location. I will agree with one thing that David and Carole said, and that was transparency. You know, we - I told my kids, yeah, we're going to be looking at things, and we're going to be watching what you do. So, you know, don't be surreptitious with your kids. 

Dave Bittner: Yeah. 

Joe Carrigan: That's not helpful. You know, there was one email my daughter - you know, when she first got an email account, within a couple of months, she got one of those chain emails that was, like, scary and - you know, with forward this on or something bad will happen to you. And she was like, ah, I better forward it. You know, she's - what? - 11. She had an email address 'cause she needed it for school. And we said, what are you doing here? Don't do this. And she's like, but - and she said, I was legitimately scared. And I'm like, I understand. I understand. 

Dave Bittner: Yeah. 

Joe Carrigan: But these emails are - and I explained to her what these emails are. These are a social experiment by some knucklehead who just wants to see how far - see how many times he gets this email back from his friends, right? 

Dave Bittner: Right. 

Joe Carrigan: Or from - maybe he wants to see if it comes out - comes in from other places. But what you've done is you've alienated everybody in your address book. 

Dave Bittner: Yeah. 

Joe Carrigan: So don't do that. And she was like, OK, fine. And she learned. She learned a lesson at the age of 11, and it never happened again. 

Dave Bittner: Right. 

Joe Carrigan: We did monitor our social media - our kids' social media statements... 

Dave Bittner: Yeah. 

Joe Carrigan: ...For exactly the reasons outlined earlier. I did tell the kids that I was capable of monitoring their web traffic, but I never really had a reason to think I did. 

Dave Bittner: Yeah. 

Joe Carrigan: If I did have a reason to, I would have gone ahead and done it, but... 

Dave Bittner: Yeah. I - to me, I think you got to be careful what you ask for, right? 

Joe Carrigan: Right. 

Dave Bittner: Because there is some stuff - like, I don't - I think my sense is, if you get too far in the weeds with your kids... 

Joe Carrigan: Yeah. 

Dave Bittner: Just - you know, you're - it's not - it doesn't end well for anybody. 

Joe Carrigan: No, yeah. You know, it's like... 

Dave Bittner: Kids are kids, and they're going to do dumb things. And sometimes, you know... 

Joe Carrigan: Yeah. 

Dave Bittner: One thing I've learned as a parent is how many things that I thought I got away with as a kid that my parents absolutely knew what was going on because, as a parent, I do the same thing all the time where I'm like, I'm just not going to choose this battle. 

Joe Carrigan: Right. 

Dave Bittner: You know, I'm just - I'm going to let them think that they got away with it. 

Joe Carrigan: Yeah. This is not that important to me. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: It's - you know, this is kids - this is what kids do, you know? 

Dave Bittner: Right, right. 

Joe Carrigan: So, you know, there is one thing. Location monitoring of a 3-year-old is unnecessary. You know, it's one of those, if you have to location - know the location of your 3-year-old, I mean, that's something you should already just know, right? You know, a 3-year-old is not an autonomous person yet. 

Dave Bittner: Right. 

Joe Carrigan: You know, so I agree with them on that. It's that - your 3-year-old should be where you are or at school in the custody of someone - you know, an educator... 

Dave Bittner: Yeah. 

Joe Carrigan: ...If they're going to preschool. 

Dave Bittner: It's hard, though. I mean, you can see how - because a lot of times, what happens is, these folks get out there who are trying to sell you something. 

Joe Carrigan: Right. 

Dave Bittner: And they're using fear. 

Joe Carrigan: Yeah. Absolutely. 

Dave Bittner: So, you know, you want to protect your kids. And as parents, that is, like, the most powerful impulse we have, right? 

Joe Carrigan: Absolutely. 

Dave Bittner: So if somebody says, hey, for just, you know, 29.99 a month, you'll always know - your toddler will never run away and, you know, get abducted, you know, like - and, well, OK, I can afford 29.99 a month, so... 

Joe Carrigan: (Laughter) Right. I should sell that kind of insurance - abduction insurance... 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: ...Because, you know, the actual rate of child abductions is down significantly from when we were kids. 

Dave Bittner: Yeah. 

Joe Carrigan: It happens a lot less frequently. 

Dave Bittner: Yeah. 

Joe Carrigan: But it's still an absolutely terrifying thing to have happen. 

Dave Bittner: Right, right. Yeah. And that's how they get you, Joe. 

Joe Carrigan: And that's how they get you. 

Dave Bittner: That's how they get you, yeah. 

Joe Carrigan: They use that fear. That's right. 

Dave Bittner: That's right. That's right. 

Joe Carrigan: Fear is a very visceral response that we have. 

Dave Bittner: Yeah. All right. Well, our thanks to Carole Theriault for bringing us that interview with David Ruiz from Malwarebytes. 

Joe Carrigan: It's a good interview. 

Dave Bittner: We do appreciate it. 

Joe Carrigan: I appreciate David's perspective. 

Dave Bittner: Yeah, absolutely. 

Dave Bittner: All right. Well, that is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The Hacking Humans podcast is proudly produced in Maryland at the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.