9. The Application of Cybersecurity: Principles and Practices 253 on other seemingly unrelated websites. Tracking cookies are a powerful tool that can be used to create a detailed picture of a person’s life and interests. Cellular providers log information about the phones in their network. It is unlikely they record conversations, but they do record metadata. Metadata is the attributes of an item of data. For phone calls, metadata includes the phone numbers of the caller and the callee, the date and time of the call, and the duration of the call. Cellular providers can log text messages in their entirety, including pictures that are sent and received. Cellular providers can also log a phone’s physical location at all times, whether the person is using the phone or not, and sometimes even when the phone is supposedly turned off. Since we carry our phones wherever we go throughout the day, this means cellular providers know everywhere a person has been. Cellular providers can also determine all phones that were near a specific location at a particular point in time. Needless to say, cell phone records can easily reveal a person’s habits, hobbies, associations, and much more. Smartphone apps can also log the actions of their users, including their location. Some apps track users even when the app is not actively being used. Android and iPhone OSs force apps to ask users for permission before they are able to collect sensitive data such as this. Some app developers claim they delete the information they collect, but such claims should be viewed with suspicion because they cannot be verified. If a company has access to data, they may or may not collect and store it. Some “anonymous” messaging apps have been exposed in the past for storing messages even though they claimed all messages were ephemeral, anonymous, and immediately deleted. Digital assistants such as Amazon’s Alexa, Apple’s Siri, and Hey Google also log activities. They are always listening in the background in case their voice prompt is spoken. In addition to the information they process while they are being used, they could conceivably record and upload to their company servers everything they overhear at all times. So even in the privacy of one’s home, in a car, or during a hike in the woods, if a person has a digital assistant or is wearing a smartwatch or carrying a smartphone, it is at least technically possible that his conversations could be overheard and even recorded. ISPs log website connections made by their customers. Because ISPs are their customers’ gateway to the Internet, all web browsing must go through them before reaching the wider Internet. Cellular providers are the ISPs for their smartphone customers. Most traffic is end-to-end encrypted with HTTPS and is opaque to ISPs, but even for HTTPS connections, metadata is not encrypted. For example, the source and destination IP addresses in HTTPS traffic are sent in plaintext (see Figure 9.13). IP addresses can be tied to websites, revealing which websites a person visited. For example, it would be possible for an ISP to determine that a person accessing the Internet at a particular residence visited a website at a specific time, such as google.com. The ISP could not see the search query the person typed nor the search results they received, but they could determine the next web server the person visited after Google, revealing some information about a likely query.
RkJQdWJsaXNoZXIy MTM4ODY=