The Spy in Your Pocket: Smartphones & Data Privacy

In our modern world, we’ve normalized the collection and monetization of our personal data. While these practices may seem innocuous to the average user, there are very real consequences caused by mass data collection. In this article, I will focus my attention on the data collected by smartphones and outline the ways that this data can be collected and misused if it falls into the wrong hands.

Get Our Activist Investing Case Study!

Get the entire 10-part series on our in-depth study on activist investing in PDF. Save it to your desktop, read it on your tablet, or print it out to read anywhere! Sign up below!

Q3 2020 hedge fund letters, conferences and more

The types of data collected by smartphones

Cell phones are a goldmine of consumer data. While there are measures in place to reduce who has access to these data sources, it’s worthwhile to reflect on the sheer abundance of data that can be collected.

Seth Klarman: Investors Always Need A Strategy To Guide Them

Volatility"Many investors lack a strategy that equips them to deal with a rise in volatility and declining markets," Seth Klarman told his audience in a speech at MIT in 2012. Q3 2020 hedge fund letters, conferences and more Klarman was talking about the benefits of having a strategy, such as value investing, to provide a Read More


  • Geolocation through Wi-Fi, cellular data, and hybrid positioning systems
  • Geotagging of photos and videos
  • Biometric data such as fingerprints, facial recognition, and voice recognition
  • Personal content such as notes, calendar data, contacts, phone calls, and text messages
  • Web analytics such as internet history and website interactions through tracking cookies

These data sources do have potential benefits for consumers such as (debatably) targeted advertising, locating lost devices, and making cell phones more convenient. The questions that privacy advocates are rightfully posing are all about how that data could be misused if it is leaked or shared with third parties.

We’ve even seen national security concerns when soldiers were told to refrain from using Strava to record their workouts. Running and cycling routes collected by the soldiers could quite realistically be used to identify the location of military installations.

How smartphone data can be leaked and shared

In a perfect world all of the data collected by smartphones would be used exclusively for the benefit of the consumer. The consumer would have complete control over what data is collected, how it is used, and who has access to it. While manufacturers and governments alike have responded to the privacy demands of consumers we’re simply not in this world as of yet.

Stolen or shared encryption keys

App makers and cell providers can make use of encryption to improve the security of communications, but it’s not entirely infallible. If smartphone manufacturers have the means to decrypt messages that leaves consumers potentially open to breaches from threat actors and demands from government agencies to have those decryption keys shared with them.

We’ve seen examples of this threat from information leaked by CIA whistleblower Edward Snowden. Snowden’s leaks revealed that the GCHQ and NSA stole encryption keys from Gemalto, a firm that makes chips that are used in mobile phones.

For a related contemporary example we can look at the FBI demanding that Apple create a backdoor that would allow them to extract data from locked iPhones. These demands are said to be motivated by national security concerns. Unfortunately, the cellular devices used by national security threats are the very same devices used by average citizens. Should these backdoors be misused or compromised there are serious security ramifications that would follow.

Malware

At their core smartphones are really just pocket-sized computers. Overall these devices are not as frequently targeted for malware as desktops and laptops, but they are certainly not immune.

As the battle between threat actors and mobile device manufacturers continues to develop it is all too possible for mobile malware to infect consumer devices and capture their data. There is also the issue of the uncertified manufacturers that pre-installed malware on Android devices.

Other probable methods

  • Cell-site simulators. These surveillance devices pretend to be legitimate cell phone towers so cell phones will connect to them. Once connected they can collect location data, unique device identifiers, data usage, text messages, and phone calls.
  • Juice jacking. Cell phones use the same port for data transfer and charging. This theoretically means that charging your phone in a USB port that is purpose-built to transmit data could infect your phone with malware or steal data from the device. While there are no incidents of this occurring in the wild (that I’m aware of), there have been plenty of interesting proofs of concept at various cybersecurity conventions.
  • Gyrophone. While not currently a legitimate threat, the “Gyrophone” concept from Stanford University researchers demonstrates how vibrations captured by a smartphone’s gyroscope could theoretically be used to capture auditory information. At this stage, the deployment is not 100% accurate and requires a purpose-built speech recognition software to interpret the recording, but it is an interesting concept nonetheless.

Why you should care about online privacy

“I have nothing to hide. Why should I care about my privacy online?”

This is a common mantra you’ll hear when it comes to the privacy debate. It’s important to understand that the need for online privacy is not reserved for internet criminals. The vast quantities of data that anonymous third parties have on us can very well be detrimental for the average citizen too.

Targeted ads

It’s no secret that advertisers are doing everything they can to gain information about their target market. This helps them craft precisely targeted ads that are based on what you are most likely to be interested in. For some these targeted ads are convenient - after all, if I’m going to be forced to watch an ad it might as well be relevant, right?

I’ll admit that I’m personally okay with targeted ads. This is especially true for ads for services that are location-dependent. I’m keen to hear about local events and businesses at the cost of having my approximate location known to advertisers.

That said, here's some things you should consider:

  • Targeted ads rob you of the opportunity to be exposed to things you may legitimately be interested in, despite it not being obvious by your data.
  • Rather than being introduced to new things, you’re constantly being served ads that fit within the interests of your data profile. This can further fuel your personal biases and limit your exposure to new ideas.

Big data is dangerous for journalists, protestors, and other objectors

The possibility of government surveillance is a very real threat. The interception of personal data could provide the means to track the movements of journalists, protestors, and other people that an oppressive government would have an interest in controlling.

Objectors can be tracked and harassed to repress their will to object. The safety of journalists can also be compromised, leading to a suppression of their reporting. Even those not directly involved in dissent risk being arrested or detained if their location data puts them in close proximity to events that have caught the attention of law enforcement.

Conclusion

There is far more to this topic than can be reasonably covered in this article. If I’ve piqued your interest, I highly recommend that you continue to learn more about data privacy and how your data is collected and used.

What other concerns do you have that weren’t mentioned here? What steps do you take to protect your privacy? Share your knowledge with the rest of the community in the comments below.

References & further reading