SoylentNews is people
SoylentNews
Submitted via IRC for SoyGuest52256
According to the patent, spotted by Metro, the system would use 'a non-human hearable digital sound' to activate your phone's microphone.
This noise, which could be a sound so high-pitched that humans cannot hear it, would contain a 'machine recognisable' set of Morse code-style beeps
Once your phone hears the trigger, it would begin to record 'ambient noise' in your home, such as the sound of your air conditioning unit, plumbing noises from your pipes and even your movements from one room to another.
Your phone would even listen in on 'distant human speech' and 'creaks from thermal contraction', according to the patent.
TV advertisers would use this data to determine whether you had muted your TV or moved to a different room when their promotional clip played.
(Score: 5, Insightful) by Anonymous Coward on Tuesday July 03 2018, @09:01PM (11 children)
I know you're pretty nuts, but I would have thought you'd have more respect for privacy concerns. Maybe you're company isn't doing shady shit but others are and there is no way for joe random to know. Additionally, even if you're not selling the data your company might become a target and the data will be stolen. Not having it in the first place because someone opted out seems like the safest bet.
Maybe you'll change your tune if we can get legislation that lets people easily sue companies that violate privacy knowingly or not. Like the "do not call" list.
I guess I'll be happy you're not calling GDPR a subversive communist attempt to destroy capitalism and democracy.
(Score: 2) by VLM on Tuesday July 03 2018, @09:19PM (10 children)
Exactly, a better solution that the GDPR would implement that, somehow. Sort of a SOX declaration that nothing shady is going on and the auditors agree, rather than the GDPR we got stuck with.
Trust me dude as part of the cleanup I got to see the crash logs and there is Nothing in there, absolutely nothing, worth selling or stealing, so... I mean, on that specific cleanup project, if you had root on the app and could take anything you wanted, the app itself had nothing worth stealing to begin with... I know that, and they know that, and that only leaves like 324999900 other people in the USA who don't know nothing interesting was going on and assume instead what was going on was the facebook thing from the article of recording audio from their microphone for whatever big brother insanity they plan.
Its too crazy. In the future its going to be looked back upon like those crazy laws on clickbait sites like "In Waynesboro, Virginia It's Illegal For A Woman To Drive Up Main Street" type of stuff. Like kids are going to read about the bad old days and GDPR will probably get a LOL paragraph and the kids will ask questions in class like "so... this was a result of legalizing weed, right?" and stuff like that. Its such a bad law its almost orthogonal to reality, not merely oppositional to capitalism or democracy.
The GDPR is like, you better treat all the normal residential garbage in a trash can as if its entirely made of written copies of the nuclear missile launch codes and CA root certs and lists of SS numbers, unless you're a giant corporation with a lot of money and lawyers or a crook, in which case you can go right on screwing everyone over without any interference from the government at all. And the above the law people are ironically the only source of trouble to begin with. In that way GDPR is kinda like gun control; the people most likely to obey the gun control laws (like, say, the cleanup BS project I got catapulted into) are exactly the self selected sub-population least likely to be involved in gun related crimes and vice versa.
(Score: 2) by bitstream on Tuesday July 03 2018, @09:38PM (9 children)
Auditors will become lazy and bribed. Human nature thing.
And crash dumps, logs etc may contain sensitive data inadvertently. But a combination of some automatic scrubbing and checking a user setting of "send debug logs to author" should provide a suitable solution.
Regardless. Laws are usually written by law people and possibly politicians. Which would outlaw gravity if it were deemed problematic and more "just" .... ;-)
Facts nor practicality need not to apply.
(Score: 2) by VLM on Tuesday July 03 2018, @10:23PM (6 children)
No dude, its not inadvertent. Not at all. This late in the holiday I'm still sober enough to log into firebase console on another monitor while typing this WRT that GDPR cleanup project and there's three NPEs and one SQL constraint violation in the hopper. At least with Crashlytics you have to explicitly and intentionally enable custom logging, set custom keyvalue pairs, or intentionally and explicitly set user identifiers. If you don't, you don't get "sensitive data" logged in crash dumps. It doesn't like "magically appear".
I'm looking at it right now, and there is no user data logged BY DEFAULT other than the call stack and the exact line of code where the crash happened.
Yes crazy as it sounds, even a "android.database.sqlite.SQLiteConstraintException" only logs "Unique constraint failed" the name of the SQLite column defined as unique in the schema, and the exact java class name and line number in that class that blew it up (63 for whatever it matters) and thats it. No actual data, no row data, nothing no variable contents nothing nothing nothing. Certainly no PII HIPPA nuclear missle launch codes, recorded mic audio, sexting pixs, SN unames and passwords, nothin but those three things, the error being a sqllite issue, the specific issue being a schema constraint violation, the column in the schema that was violated, and the exact line number of source code causing it. Oh and it happened at 3:40:00pm yesterday plus or minus five minutes. All the crashes seem rounded to five minute resolution. Sorry if I just violated some poor bastards privacy but I simply have no cares if they're that clinically paranoid ..... You can feel pity for someone insane, and be nice to them, but you can't take their delusions seriously. This is simply not a problem for non-insane people.
Now a crooked company could intentionally with malice aforethought explicitly add custom logging to send in your login password or sweet nothings you texted your spouse, but ... not here. Like I implied elsewhere, its precisely the crooked companies that are not going to even attempt to follow GDPR because they're crooks, and non-crook companies like the project I got catapulted into are precisely the kind of people who you DON'T need to worry about but are going thru the wringer.
The NPEs list the timestamp, obviously, "attempt to read from field blah on a null object reference" and the exact class name and source code line number (125 in this case). I am too lazy to look up the reported version vs the bug database to tell, but "usually" this is poor handling of views where a view goes away while someone still has a reference to it (like rotating the screen while something is updating or whatnot). You're supposed to use LiveData to "fix" all that foolishness and do all your biz logic in the viewmodel but WTF. Who knows maybe hardware failure madness I donno. No I do not get any more data. Hard to describe a null as violating someones privacy (thats a joke, kinda). Obviously its more a source code bug than data/privacy issue. But in summary, no, NPEs don't leak private data accidentally or any of that BS.
My guess is a new "feature" of crashlytics will be to remove all that possibly privacy violating stuff. Bare basic crashlytics gives you class name, variable name, maybe, generic error message, and line of the source code. Not your social security number or facebook password.
There are some details I left out that are irrelevant. I know the android version of the crashing device. I know the app version they were running (recent, at least). When the NPE happend it was in Portrait mode... The device that crashed had 821.64 MB free so it wasn't a OOM event. Thats about it. I have no uuid no device id no mac no ip address no phone number no wifi ESSID, basically, nothing.
Anyone with a specific question about Crashlytics could set up a free account, write a five line "app" with an activity that calculates 1/0 and see for themselves, or ask me if I'm still sober enough to respond...
Firebase Performance is interesting. Unless you enable extra traces all you get to see is the worldwide average app_start time for this all for the last 30 days is 708 ms, which is supposedly not bad. If a new version altered the average startup time for good or bad, that would be interesting. This app does not hit the internet, but performance can be used to analyze http response latency and codes, although obviously I have no data because this app doesn't do it. Ratio of 200 vs 404 codes, response times below 2 s, 2-6 secs, and above 6 secs by geographic area.
Analytics is pretty empty for this app. They're logging every time any fragment is hit, so I can see X% of users hit fragment (screen) A, vs Y% looked at screen B over various time intervals up to the previous month. This particular company does NOT add additional logging and only added logging to show a fragment (screen) was loaded. There's some fuzzy looking math about total audience numbers which is interesting. YES you can explicitly and intentionally with malice add "user properties" to log your passwords, dogs name, and sexting pixs in each upload, but this company not being crooks... they don't.
In summary, no dude, "sensitive data" is NOT uploaded unless the programmers explicitly and intentionally with malice are dirtbags. By default nothing sensitive is uploaded or could possibly appear even by accident. Thats why I'm pretty cavalier about it; I KNOW its not a privacy violation. Although I sympathize that the general public has no way of knowing.
(Score: 2) by VLM on Tuesday July 03 2018, @10:47PM (5 children)
Looking more closely at the version numbers, I am not working the afternoon before the 4th, but clearly someone IS working ... One of the NPEs in the hopper crashed this afternoon on a phone described as "Android SDK built for x86" so ...
As a cultural phenomena the crash hopper at a multi-person company ends up about like you'd expect with orphaned junk in it that doesn't age out until its auto-deleted in 30 days, so naturally some dev didn't delete the other NPEs and no one else will because its kind of sabotage if someone actually needed that data (who?) and there's no theoretical way to reverse the data and de-anonymize who crashed their emulator, so its impossible to figure out who done it. With more motivation and less alcohol I could log into the VPN then the rdesktop to the cluster to get into the gitlab to see who was making commits to that java class around the time of the NPE which doesn't exactly prove who caused the problem but does implicate someone who fixed it, but ... I'm lazy. Which makes the point that its hard to violate someone's privacy if even the guys working there with source code access still can't effectively de-anonymize a crash report.
Firebase and crashlytics and all that is like a network test tool; the fact that a crook could pingflood someone with it doesn't prove everyone with that binary is in fact a criminal requiring extensive regulation, in fact most people are not criminals. Again, the fairly obvious gun control analogy, that the only people following the draconian rules are by definition exactly the people you don't need to worry about and shouldn't be subjected to the draconian rules.
(Score: 3, Informative) by bitstream on Wednesday July 04 2018, @12:19AM (1 child)
I think our perspectives may differ. I'm thinking primarily on "core dumps". They may contain memory regions of various data.
Your logging stuff may be way less prone to inadvertent data leakage.
(Score: 2) by VLM on Thursday July 05 2018, @03:21PM
Ehh... Android studio is free, Google firebase with crashlytics and analytics is free, you can log in and try this stuff yourself if you don't believe me for nothing but hours.
Computing world being very big, there could be some competitor product you're talking about that I'm unaware of that uploads your complete photo gallery and stored website passwords with every NPE; but I can assure you, not with what I have experience with.
I'm not kidding, you get a crash in crashlytics, it doesn't have memory dumps or variable contents, which sometimes makes debugging weird, yet merely knowing what crashed when is often enough data to fix stuff. I suppose a real jerk could embed single bits of data at a time in the backtrace by having string to binary functions recursively call each other and then do a 1/0 to drop a crash where the backtrace is a binary representation of "secret data", but its impossible to prevent active intentional malice.
Maybe Apple dev tools contain curious stuff in their crash reports; again, I've only worked on Android using standard google services with one non-scummy company.
(Score: 0) by Anonymous Coward on Wednesday July 04 2018, @03:45AM (2 children)
What happens when you are not in that company and an asshole psychopath replaces you?
(Score: 2, Funny) by Anonymous Coward on Wednesday July 04 2018, @06:52AM
You mean, how will they tell the difference?
(Score: 1, Funny) by Anonymous Coward on Wednesday July 04 2018, @03:14PM
Are they looking for one? I'm available.
(Score: 0) by Anonymous Coward on Wednesday July 04 2018, @02:41AM (1 child)
"Auditors will become lazy and bribed. Human nature thing."
Oh how I wish. However the reality is somewhat depressing.
Auditors will make themselves necessary. It's their reason for existence.
I do SOX. Been there, done that. Auditors will not go away, they will weasel their way into everything they possibly can.
I loathe most auditors because they have no understanding of what they're auditing. Or the language of the people they're auditing.
Deloitte is pure evil, they should hire native speakers to conduct their audits.
(Score: 3, Interesting) by bitstream on Wednesday July 04 2018, @07:11AM
SOX = Sarbanes–Oxley Act of 2002 ?