Android should let users deny and revoke apps' Internet permissions
Android allows you to deny apps some permissions, like location access, on a per-app basis. But network access is not one of those permissions. Letting users deny apps network access would be a leap forward for Android privacy.
Share your story:
Why is this important?
Ever since Google released Android 6.0 Marshmallow back in 2015, Android users have been able to revoke or deny specific permissions to apps. Don’t want that flashlight application to access your location? Just change a setting. Don’t want the latest game to access your contacts? Flip the switch. Don’t want your chat app to listen in on what you’re saying via the microphone? No problem.
But one permission users can’t deny is Internet access—no matter how much you don’t want that flashlight app to phone home and tell its creator about every tap, swipe, or launch. While Apple doesn’t provide this option in iOS either, we have bigger concerns that Google’s targeted advertising-based business model gives it less incentive to stop creepy tracking. Limiting Android apps’ ability to track users would be a big step in the right direction. (And of course, if Google gave users this option, then Apple would have no excuse not to.)
Instead of having no choice but to share their data with the creators of every app they ever use, Android users should be able to deny and revoke apps’ permission to access the Internet. Your move, Google.
Read more at eff.orgOur Other Asks
-
Twitter should...
end-to-end encrypt direct messages.
-
Verizon should...
stop pre-installing spyware on its users’ phones.
-
Apple should...
let users encrypt their iCloud backups.
-
Facebook should...
leave your phone number where you put it.
-
Slack should...
Slack now has basic retention settings for free accounts.
-
Venmo should...
Venmo now lets you hide your friends list.
-
WhatsApp should...
WhatsApp now lets you choose who can add you to groups.
-
Windows 10 should...
let users keep their disk encryption keys to themselves.
Apple should let users encrypt their iCloud backups
Data on your Apple device is encrypted so that no one but you can access it, and that’s great for user privacy. But when data is backed up to iCloud, it’s encrypted so that Apple, and not just the user, can access it. That makes those backups vulnerable to government requests, third-party hacking, and disclosure by Apple employees. Apple should let users protect themselves and choose truly encrypted iCloud backups.
Share your story:
Why is this important?
The good news is that Apple CEO Tim Cook already thinks that encrypting iCloud backups is a good idea and seems to want to implement it in the future. Here’s what he said about allowing users to encrypt their iCloud backups in an interview with Der Spiegel (translated):
SPIEGEL ONLINE: Is the data also secure with your online service iCloud as on the devices? COOK: There our users have a key and we have one. We do this because some users lose or forget their key and then expect help from us to get their data back. It is difficult to estimate when we will change this practice. But I think that will be regulated in the future as with the devices. So we will not have a key for it in the future.
The future is now, Tim. While some users may find it helpful for Apple to be able to recover their backups when they forget their passwords, that’s not true for all users. It’s time to let users choose security and encrypt their iCloud backups so only they have the key.
Read more at eff.orgOur Other Asks
-
Android should...
let users deny and revoke apps’ Internet permissions.
-
Twitter should...
end-to-end encrypt direct messages.
-
Verizon should...
stop pre-installing spyware on its users’ phones.
-
Facebook should...
leave your phone number where you put it.
-
Slack should...
Slack now has basic retention settings for free accounts.
-
Venmo should...
Venmo now lets you hide your friends list.
-
WhatsApp should...
WhatsApp now lets you choose who can add you to groups.
-
Windows 10 should...
let users keep their disk encryption keys to themselves.
Facebook should leave your phone number where you put it
UPDATE 7/25/2019: Read our analysis of the FTC’s settlement with Facebook, and why its requirements for 2FA phone numbers are only a partial fix to this larger problem.
Add this to the list of invasive ways Facebook makes money off your personal information: using your phone number for targeted advertising even if you provided it for other reasons. Contrary to user expectations and Facebook’s own previous statements, the company has been using contact information that users provided for only security purposes—or never provided at all—for targeted advertising.
Share your story:
Why is this important?
When a user gives Facebook their number for security purposes—to set up 2FA, or to receive alerts about new logins to their account—that phone number can become fair game for advertisers within weeks.
And that’s not all. Facebook is also grabbing your contact information from your friends. This means that, even if you never directly handed a particular phone number over to Facebook, advertisers may nevertheless be able to associate it with your account based on your friends’ phone books.
As Facebook attempts to salvage its reputation among users in the wake of countless scandals, it needs to put its money where its mouth is. Stopping all non-essential uses of 2FA numbers and “shadow” contact data would be a good start.
Read more at eff.orgOur Other Asks
-
Android should...
let users deny and revoke apps’ Internet permissions.
-
Twitter should...
end-to-end encrypt direct messages.
-
Verizon should...
stop pre-installing spyware on its users’ phones.
-
Apple should...
let users encrypt their iCloud backups.
-
Slack should...
Slack now has basic retention settings for free accounts.
-
Venmo should...
Venmo now lets you hide your friends list.
-
WhatsApp should...
WhatsApp now lets you choose who can add you to groups.
-
Windows 10 should...
let users keep their disk encryption keys to themselves.
Slack Fixed!
Slack now has basic retention settings for free accounts
FIXED 9/1/2022: Slack has fixed it already!
UPDATE 7/1/2019: Read our op-ed in the New York Times on Slack’s data retention problems.
The revolution will not be televised, but it may be hosted on Slack. Community groups, activists, and workers in the United States are increasingly gravitating toward free consumer accounts on the popular enterprise platform to communicate and coordinate efforts. But Slack has failed to support its free workspace users in its default settings and ongoing design. Slack should keep it users safe and make at least basic retention settings available to administrators of free workspaces.
Share your story:
Why is this important?
Read our original ask to Slack:
By default, Slack retains all the messages in a workspace or channel (including direct messages) for as long as the workspace exists. If you are using a paid workspace, you can change that and set shorter retention periods.
But if you use a free Slack workspace, you don’t have that option. Instead, Slack retains all of your messages, but makes only the most recent 10,000 searchable and viewable to you. All of the logs beyond that 10,000-message limit remain on Slack’s servers, “out of sight and out of mind” but still indefinitely available to Slack, law enforcement, and third-party hackers.
Slack’s rationale for quietly keeping your old messages is to have them ready for you just in case you later decide to upgrade to a paid workspace, which does not have a limit on the number of messages that can be available for you to search and view. But many groups are simply not likely to make that switch. Instead, users should be able to decide for themselves what messages they want Slack to keep and what messages they want Slack to delete—particularly once those messages become inaccessible to them.
Read more at eff.orgOur Other Asks
-
Android should...
let users deny and revoke apps’ Internet permissions.
-
Twitter should...
end-to-end encrypt direct messages.
-
Verizon should...
stop pre-installing spyware on its users’ phones.
-
Apple should...
let users encrypt their iCloud backups.
-
Facebook should...
leave your phone number where you put it.
-
Venmo should...
Venmo now lets you hide your friends list.
-
WhatsApp should...
WhatsApp now lets you choose who can add you to groups.
-
Windows 10 should...
let users keep their disk encryption keys to themselves.
Twitter should end-to-end encrypt direct messages
When you send a direct message on Twitter, there are three parties who can read that message: you, the user you sent it to, and Twitter itself. One of those is obviously unnecessary. Twitter could fix this by making its DMs use end-to-end encryption.
Share your story:
Why is this important?
People talk about sensitive things in their direct messages, and when Twitter receives a warrant for the contents of these messages, it can hand them over to governments and law enforcement. Twitter could make direct messages safer for users by protecting them with end-to-end encryption.
End-to-end encryption ensures that a message is turned into a secret message by its original sender, and decoded only by its final recipient. That means nobody but the end users would be able to read those messages, and Twitter would no longer be in a position to hand over private messages to law enforcement.
Many other popular messaging systems are already using end-to-end encryption, including WhatsApp, iMessage, and Signal. It’s a no-brainer that Twitter should protect your DMs too.
Read more at eff.orgOur Other Asks
-
Android should...
let users deny and revoke apps’ Internet permissions.
-
Verizon should...
stop pre-installing spyware on its users’ phones.
-
Apple should...
let users encrypt their iCloud backups.
-
Facebook should...
leave your phone number where you put it.
-
Slack should...
Slack now has basic retention settings for free accounts.
-
Venmo should...
Venmo now lets you hide your friends list.
-
WhatsApp should...
WhatsApp now lets you choose who can add you to groups.
-
Windows 10 should...
let users keep their disk encryption keys to themselves.
Venmo Fixed!
Venmo now lets you hide your friends list
FIXED 05/28/2021: Venmo has fixed it already!
UPDATE 8/28/2019: Read EFF and Mozilla’s open letter to Venmo, and coverage of the letter in Vice and the Daily Dot.
Share your story:
Why is this important?
Read our original ask to Venmo:
Even a “social” payment app should give its users the choice of just how social they want to be. While Venmo offers a setting to make your payments an transactions private by default, there is no option to hide your friend list. No matter how many settings you manually change, Venmo shows your friends toanyone else with a Venmo account. Venmo should give users a setting to make their friend list private or visible only to their friends.
Venmo is a payment processing app that lets you send and receive payments. But the social features that have made it so popular are also its fatal privacy flaw: every transaction and friend list on Venmo is public by default.
This can paint a detailed picture of your life. The Public By Default project demonstrates the startling detail of Venmo information, from who you live with to where you like to go out to the minutiae of your daily habits and routines.
To hide your transactions, you can dig into the settings and set them to private. But there’s nothing you can do on Venmo to hide your friend list. Even Facebook allows you to control the visibility of your friend list. It’s time for Venmo to do the same.
Read more at eff.orgOur Other Asks
-
Android should...
let users deny and revoke apps’ Internet permissions.
-
Twitter should...
end-to-end encrypt direct messages.
-
Verizon should...
stop pre-installing spyware on its users’ phones.
-
Apple should...
let users encrypt their iCloud backups.
-
Facebook should...
leave your phone number where you put it.
-
Slack should...
Slack now has basic retention settings for free accounts.
-
WhatsApp should...
WhatsApp now lets you choose who can add you to groups.
-
Windows 10 should...
let users keep their disk encryption keys to themselves.
Verizon should stop pre-installing spyware on its users’ phones
Almost two years ago, Verizon rolled out AppFlash, a service that it describes as an app launcher/search tool, but which is essentially spyware. The software allows Verizon and its partners to track the apps you have downloaded and then sell ads to you across the Internet based on what those apps indicate about you, like which bank you use and whether you’ve downloaded a fertility app.
Share your story:
Why is this important?
As if this weren’t sketchy enough, AppFlash comes pre-installed on many Verizon phones and while you can disable it, you cannot delete it.
But wait, there’s more! A review of Verizon’s privacy policy for this app shows that AppFlash affirmatively requests the right to collect contact and location information, and does so even when the app is not in use. And sure, AppFlash’s FAQ states, “We do not sell, rent or share precise location data that identifies you with others for their own purposes,” but given the telco’s history of data-sharing, we don’t have a lot of faith in Verizon’s promises.
Verizon should abandon AppFlash and stop trying to monetize its customers’ browsing and app usage.
Read more at eff.orgOur Other Asks
-
Android should...
let users deny and revoke apps’ Internet permissions.
-
Twitter should...
end-to-end encrypt direct messages.
-
Apple should...
let users encrypt their iCloud backups.
-
Facebook should...
leave your phone number where you put it.
-
Slack should...
Slack now has basic retention settings for free accounts.
-
Venmo should...
Venmo now lets you hide your friends list.
-
WhatsApp should...
WhatsApp now lets you choose who can add you to groups.
-
Windows 10 should...
let users keep their disk encryption keys to themselves.
WhatsApp Fixed!
WhatsApp now lets you choose who can add you to groups
FIXED 4/3/2019: WhatsApp has fixed it already!
Share your story:
Why is this important?
Read our original ask to WhatsApp:
If you no longer want to be in a WhatsApp group, you can leave or even block the group. But what if you don’t want to join that group in the first place? WhatsApp should get your consent before someone else is able to add you to a group.
Without a chance to decide whether or not you want to accept a group invitation, you are automatically added. This exposes your phone number to all the members of the group, and potentially even makes you part of someone else’s disinformation campaign.
WhatsApp has recently taken several steps to make groups safer, including introducing a new protection to prevent users from being repeatedly added to groups they’ve left before. We want WhatsApp to go further and make sure its users can affirmatively choose whether or not they want to join a group in the first place.
The power to simply say “yes” or “no” when someone adds a user to a group would put users back in control of their WhatsApp chats and personal phone number privacy from the start.
Read more at eff.orgOur Other Asks
-
Android should...
let users deny and revoke apps’ Internet permissions.
-
Twitter should...
end-to-end encrypt direct messages.
-
Verizon should...
stop pre-installing spyware on its users’ phones.
-
Apple should...
let users encrypt their iCloud backups.
-
Facebook should...
leave your phone number where you put it.
-
Slack should...
Slack now has basic retention settings for free accounts.
-
Venmo should...
Venmo now lets you hide your friends list.
-
Windows 10 should...
let users keep their disk encryption keys to themselves.
Windows 10 should let users keep their disk encryption keys to themselves
Full-disk encryption is the first line of defense for your data if your device is stolen or lost while it’s powered off. It’s such a fundamental part of security that all modern operating systems intended for home users come with some sort of encryption solution—except, that is, for Windows 10.
Share your story:
Why is this important?
Windows 10 Home Edition does come with a built-in encryption solution, but only for some users. Called “Device Encryption,” it only works if you have certain hardware and if you sign into your computer with a Microsoft account—which means you have to trust Microsoft with the backup keys. This is bad encryption design by Microsoft: users should never have to give their encryption keys to a third-party.
Other versions of Windows 10 don’t require you to back up your key to Microsoft’s servers. And some Windows 10 Home users may find it helpful to have a backup key stored on Microsoft’s servers, so that they can recover the contents of their computers even if they forget their passwords. But other users may have different concerns, and may not be technically savvy enough to remove the backup key and generate a new one.
That’s why Microsoft should update Windows 10 Home Edition. All its users should be able to encrypt their devices using built-in tools that don’t require them to jump through hoops to revoke Microsoft’s power to decrypt their devices without their consent.
Read more at eff.orgOur Other Asks
-
Android should...
let users deny and revoke apps’ Internet permissions.
-
Twitter should...
end-to-end encrypt direct messages.
-
Verizon should...
stop pre-installing spyware on its users’ phones.
-
Apple should...
let users encrypt their iCloud backups.
-
Facebook should...
leave your phone number where you put it.
-
Slack should...
Slack now has basic retention settings for free accounts.
-
Venmo should...
Venmo now lets you hide your friends list.
-
WhatsApp should...
WhatsApp now lets you choose who can add you to groups.
Fix It Already
Our Asks:
-
Android should…
let users deny and revoke apps’ Internet permissions.
-
Twitter should…
end-to-end encrypt direct messages.
-
Verizon should…
stop pre-installing spyware on its users’ phones.
-
Apple should…
let users encrypt their iCloud backups.
-
Facebook should…
leave your phone number where you put it.
-
Slack should…
Slack now has basic retention settings for free accounts.
-
Venmo should…
Venmo now lets you hide your friends list.
-
WhatsApp should…
WhatsApp now lets you choose who can add you to groups.
-
Windows 10 should…
let users keep their disk encryption keys to themselves.