June - July 2019

Audio Hackers

A recent article in the Wall Street Journal suggests that technological advances may soon allow hackers, through malware, to interpret the acoustics and sound waves when a person types on a smartphone to obtain the person’s private data, including passwords, PINs, and text messages.  Researchers found that the microphones in Android devices could be used to record the sounds occurring when a person typed on the phone, and could, with some level of accuracy, determine where on the screen the user typed. In one test, the researchers found that out of 10 tries they obtained seven out of twenty-seven passwords from a phone, and nineteen out of twenty-seven passwords on a tablet.

One of the authors of the recent study (not yet peer-reviewed and published) suggested that smartphones should be developed that alert a user when the microphones and other applications are turned on.

An earlier study, from 2012, referenced in the recent article, showed that a smartphone’s accelerometer – used to measure a person’s steps – could be used by hackers to collect screen-vibrations to infer passwords and PINs.

Experts are not concerned at this stage for a real-world threat and indicate the threat is more of interest for academic study. However, while the threat may not be of concern now, one expert noted, the threats will be present in the near future.

Sources:  Matthew Kassel, “Hackers May Soon Be Able to Tell What You’re Typing—Just By Hearing You Type,” wsj.com, June 4, 2019 [subscription may now be required]:
https://www.wsj.com/articles/hackers-may-soon-be-able-to-tell-what-youre-typingjust-by-hearing-you-type-11559700120

Nebraska School To
Randomly Test For Nicotine
Due to the growing prevalence of e-cigarettes and vaping, a junior-senior high school in Nebraska will start randomly testing those students involved in extra-curricular activities for nicotine. Random drug and alcohol testing is already being done. Teen vaping, according to a 2018 survey by the Centers for Disease Control and Prevention, is at a high-level. The national survey asked about vaping within a 30-day period and found that 3.05 million high school students and 570,000 middle school students had used e-cigarettes in that period.

The school’s plan will randomly test between 20 and 25 children. Those students found to have nicotine present will, for a first offense, be suspended from the extra-curricular activity for 10 participation days. Second offenses bring a punishment of a 45-day suspension and, at the offender’s own expense, evaluation and treatment by certified abuse counselors or mental health providers. Third-offenders are suspended from extra-curricular participation for 12 months.

The school, Fairbury Junior-Senior High School, is located in a rural district and has about 383 students. In the 2017-2018 school year, the school had 7 disciplinary incidents related to vaping; in 2018-2019, it reported 30 disciplinary incidents.

Sources:  Elizabeth Chuck, “To combat vaping, Nebraska school district will randomly test students for nicotine,” nbcnews.com, June 18, 2019:
https://www.nbcnews.com/health/kids-health/combat-vaping-nebraska-school-district-will-randomly-test-students-nicotine-n1018886

Who Owns Your Car-Generated Data?

A recent article estimates that modern vehicles “generate about 25 gigabytes of data every hour and as much as 4,000 gigabytes a day.” The question of ownership of the data – the value of which, by 2030, according to one estimate, is $750 billion – has not yet been resolved nationally in the U.S.; the European Union has ruled that the data belongs to the vehicle-owner and is subject to privacy rules.

California has a law, scheduled to take effect in January 2020, that expands the definition of data ownership and gives consumers the right to “specific pieces of personal information a business has collected about them,” and includes the right to stop the sale of the data to third-parties. Automakers, through the Auto Alliance, a trade-group, are seeking to limit the disclosure obligation to only “summary data” collected.  The Alliance has argued that revealing all of the data collected could lead to “stalking or harassment risks, endangering individual or public safety, or it may otherwise adversely impact the privacy rights of non-owners.”  Aftermarket auto repair shops have argued against any such limitation, stating that the shops need access to the same collected data available to the automakers. Auto repairs facilities also are concerned that automakers may remove the physical data port, further limiting access, as most vehicles –32 of 44 brands in 2018 – can also download data through wifi. If the physical ports are removed from future models, the auto repair facilities argue, then automakers will either charge more to access the data – a cost passed on to the consumer – or cut off information necessary for repairs. Privacy advocates are concerned that consumers’ data may, without their knowledge, be shared with law enforcement, and commercial interests.

Sally Greenberg, executive director of the National Consumers League, was quoted as saying, “Self-regulation is important and gives us a baseline on what the industry ought to do, but it’s not a replacement for a comprehensive privacy protection.”

Sources:  Gopal Ratnam, “Your car is watching you. Who owns the data?” rollcall.com, April 9, 2019: 
https://www.rollcall.com/news/policy/cars-data-privacy

Google And Alexa AI Recordings

A recent article noted that both Amazon and Google have admitted that they use contractors to listen to “anonymized” audio clips of recordings obtained through use of their AI devices, Alexa and Google Assistant. An Amazon spokesperson was quoted as saying that the recordings help “train our speech recognition and natural language understanding systems, so Alexa can better understand your requests, and ensure the service works well for everyone,” but noted that employees cannot identify a specific user or account. “All information is treated with high confidentiality and we use multi-factor authentication to restrict access, service encryption, and audits of our control environment to protect it.” A Google spokesperson similarly described a limited-access process, stating that only 0.2% of recordings are listened to by language-expert contractors, and the “[r]eviewers are directed not to transcribe background conversations or other noises, and only to transcribe snippets that are directed to Google.” Amazon also reports that only a fraction of 1% of the collected recordings are annotated, and no recordings are shared with third parties.

Google denies that it sells personal information to third parties. However, the recent article noted that on a privacy policy page for Google Nest – separate from the page for Google Assistant – the policy contains the following language: “...we commit to you that for all our connected home devices and services, we will keep your video footage, audio recordings, and home environment sensor readings separate from advertising, and we won’t use this data for ad personalization. When you interact with your Assistant, we may use those interactions to inform your interests for ad personalization.”

Sources:  Ry Crist, “Amazon and Google are listening to your voice recordings. Here's what we know about that,” cent.com, July 13, 2019:
https://www.cnet.com/how-to/amazon-and-google-are-listening-to-your-voice-recordings-heres-what-we-know/

by Neil Leithauser
Associate Editor