In October 2015 me and my dev “partner-in-crime”, Emad Heydari Beni, decided to run a small survey on how our blog readers, friends and relatives felt about privacy and security on the Internet. The survey was closed November the 11th and we left things settle for a while. Then we started looking at the data we had gathered.
The short version? We were actually surprised at some of the answers!
The survey context: a disclaimer
Let’s be clear here: this “survey” exercise was a first for us. We’re no specialists, we don’t claim our questions are perfect (or even perfectly objective, even though we tried hard to keep them that way). You can probably give your own interpretation of the data we’re making available here: in fact, feel free to express your opinions and concerns in the comments below!
The survey was totally anonymous. We gathered around 120 answers, which means that the error margin on our data does not allow us to predict outcomes with a high level of confidence. However it is reliable enough to detect what the trends are. In other words: 65% could be 60% or 70%, but we’re confident it won’t be 10%.
The comments on the data presented in this post are my own: they are my personal interpretation of what I saw in those numbers. That does not mean it’s the absolute truth! Once again, feel free to give your opinion in the “comments” section at the end of the article.
With that clarified, let’s dive into the survey results…
How secure do Internet users feel?
The first four questions of the result were about how secure you feel when on-line, whether you have already experienced one of those “bad surprises” (virus, malware…) and what you are doing to protect you when on the Internet.
A majority of participants seems to feel secure enough when browsing on the Internet, while the rest (either pessimists or clairvoyants!) answered that they do not feel secure. The most interesting bit is that only two of the participants felt very secure when on-line. The vast majority seems to be aware of the threat and is either convinced by the precautions he’s taking, or has realized that his/her precautions might not be enough against the latest threats.
Most of the participants seem to know those threats already:
One of the interesting part in this set of answers is how many participants have been the victim of phishing. This is scary!
Phishing for your data is the first step to emptying your bank account. Okay I’m dramatizing a bit, but not that much! Furthermore it looks like phishing (and its evolved form, spear phishing) is here to stay.
Of course, I get phishing attempts everyday in my mailbox, and that doesn’t mean I fall for it. I also had virus/malware detected by my anti-virus before, and it does not mean I got infected. Still… it looks like the Internet is a dangerous place to stick around.
The other interesting bit of information is the small amount of people who have no idea if they have been attacked: the only explanation I can find is that they have no tool that can tell them that. One can imagine that the person who has an anti-virus installed knows if a malware (49%), spyware (22%) or virus (62%) has tried to invade the device! But we must also take into account that the survey does not make any distinction between desktops, laptops, tablets or smartphones.
Now tablets and smartphones’ users are just beginning to understand that such a device is also vulnerable, and I suspect many of them don’t have any protection device installed yet.
This seems to be matching the “what have you installed for protection” question:
Here again the surprising part is how many persons have nothing installed for detecting or preventing attacks! Again, I suspect tablet and smartphones’ users feel safe enough as it is. Either that or they are Linux users. In which case I would suggest them to reconsider their beliefs.
Looks like all OS’es are equal under phishing’s eyes 😉
Although a majority of participants never had troubles, I’m worried to see that a significant amount of them have been hacked (10%). Note that the term has been used in a lose way within the question: “hacked” could mean that a colleague made a prank on you, or that someone installed a keylogger on your device!
The surprising result here is how many survey participants have been the victim of ransomware! Now THAT is really scary: encrypting your data on your personal device means that the cyber criminals first got access to your data, usually by tricking you into downloading and executing a piece of software that opens access to your device. At that point, your device becomes a puppet to them. They pull the strings. They can wipe out your hard-drive (check Mat Honan’s epic hack: they didn’t even use a malware!), steal information or encrypt files and ask for a ransom.
Ransomware is apparently on the rise, and no, Linux is not bulletproof either. So a word of advice here: protect yourself, never pay the ransom, backup your files.
How aware are Internet users about the privacy of their data?
Enough about security, let’s talk about privacy. By now everybody suspects how “free” services work. To quote Andrew Lewis: “If you’re not paying for something, you’re not the customer; you’re the product being sold“.
You use a service, they extract whatever data you entered, they harvest it so that they can “understand” you (your tastes, your preferences)… They sell “you” to companies so that they can serve you the advertising they believe will most catch your attention. You type “baby“, you get diapers advertising. It looks like free, but that’s not quite true.
I was incredibly surprised with these results.
First, at least half of the participants seem to be aware of the problem as they answered that none of the services listed respects your privacy! This is more than I expected. I guess the many articles and investigations explaining how these services’ business models work are succeeding in keeping the users informed. Kudos to those bloggers and journalists!
But the big surprise, at least as far as I’m concerned, is that a quarter of participants believes that Google respects their privacy!
The universally-famous search engine surely knows how to market itself. Who remembers their motto: “Don’t be evil“? Looks like nowadays that promise was broken… Anyone remembers that Street View incident?
The omnipresence of the company on the Internet means that it’s hard not to be tracked by them at some point.
The thing is, they are incredibly talented. We all just love their services! Heck, I love and use Gmail everyday. And Twitter!
And tracking Internet users for advertising purposes, in exchange of “free” services, is not a bad thing per se. But this tracking can have unexpected consequences, as explained very clearly by DuckDuckGo (which incidentally DO serve advertising to you, but in an anonymous way. Hey, they have to finance their operation somehow!).
The dilemma has been magnificently expressed by Mikko Hyppönen when talking about Twitter: “I love Twitter. I have over 100,000 followers on Twitter, I love the medium, it’s excellent. I just wish I could pay for these services“. Because if you don’t pay with money, you pay with your private data.
Try this. Install either the Collusion or the Lightbeam add-on for Firefox and browse the Internet. Then watch how events are gradually exchanged between the websites you visit, drawing a graph of “who talks with who”. Your screen will be filled within minutes. If you have never done the experiment, I suggest you do it now: it’s an eye-opener.
Sharing email addresses and mobile numbers
Some bits of data every service wants from Internet users is their email address and their mobile numbers. The reason seems obvious: you could identify a person’s profile using those two pieces of information and cross-reference data from various sources using those identifiers. The identifier, email or phone number, is used as the “link” between the various pieces of data.
This approach is fundamentally what GCHQ’s Karma Police program uses to “record the website browsing habits of “every visible user on the Internet” (bonus points if you guess who sent The Intercept that piece of evidence).
So how do you feel about providing your email address?
Apparently not too well. Only 13% of participants seem having no problem sharing their email addresses… or at least giving ONE email address to use a service!
Indeed, one participant commented that he maintains various email addresses: one private, on for forums and one for commercial sites. This obviously is reassuring. Unless the email service actually manages to link the three addresses, of course.
The email address has become one of the main ways of authenticating a service user. Remember: initially “usernames” would be requested, and they could be different between each service. Nowadays the email has become the username: it’s easier for you to remember, and it’s easier for the service to link you with other sources of data they might have on you.
The survey participants seem to understand what a company does with their email: no surprises there.
However they seem to be a little more worried when they have to give out their mobile number to register for a service: 62% of participants don’t like it at all when giving their phone number, as opposed to giving their email addresses (42%). Maybe it’s because blocking email spam is easier than blocking marketing calls or texts on the phone?
Or maybe it’s because a phone number, or more specifically the phone it is linked to, is actually a valuable source of information. It gives access to a set of meta data that the simple email address cannot provide, therefore enriching whatever a service provider already knows about you.
And indeed it seems that mobile carriers have noticed they’re sitting on a mine of gold, and have started selling subscribers’ phone’s metadata (geolocation, activity patterns, etc.) to marketing firms, possibly after cross-referencing that data with other sources linked directly or indirectly with the subscriber’s phone number.
Whether it’s in relation to their email or their phone number, the survey participants seem to clearly understand that the name of the game is to gather data by linking it through identifying pieces of information. This may be why services ask you to login using your email or your mobile number, instead of an anonymous, changing username.
What does “free” mean?
A vast majority of the services we use on the Internet present themselves as being free. Yet the expenses to run, maintain, develop their service can quickly become consequent. Developers have to eat too, you know!
So how are those services being financed?
Here again, the survey participants seem to have understood how it works: advertising pays for the bills (87%)… and so does the data they gather on their users to sell to third parties (68%)!
Some of these services are indeed being backed up by grants and benefactors: Pavel Durov appears to have donated enough money for Telegram to exist, and Open Whisper Systems’ Signal combines a small team of grant-funded developers with the generosity of Open Source contributors. For the time being, these two messaging systems combine privacy and a certain level of financial independence, which is a good thing.
Personally, I certainly hope no government is funding any social network or messaging system on the Internet… but then again that might be just me and my conspiracy theories 😉
But is there any other option for funding these services, other than by showing ads and selling data? How much money are users willing to pay? Well we asked the question to the survey participants and, surprisingly, a third of them is willing to pay an average amount of €9.15 per month for a messaging system!
I’m certainly not in a position to judge whether such a monthly subscription would be enough to sustain a messaging service business, but it looks like it is enough for Netflix to prosper (€9.99 is the price of their standard subscription).
I admit it: I actually enjoyed analyzing the survey participants’ answers. I feel like I’ve learned a lot from persons who are… well, not me!
I have tried as much as possible to cross-reference the results with other resources I gathered on the subject. I tried to offer you a view of where I believe we are going in terms of privacy and security.
I have tried to connect the dots, but in the process I have most certainly given you a biased view on the subject: like any human being, I have come up with deductions based on my own convictions.
So in an attempt to make up for my subjectivity, I humbly offer you the raw data as a Libre Office Calc file so that everybody can download, process and interpret the results of this survey:
One final word: I’d like to thank Emad for helping me with this survey, and for convincing all those Internet users to take the survey. Thanks for spamming your contacts, mate 😉
Until next time,
- A Brief History of Spear Phishing: http://resources.infosecinstitute.com/a-brief-history-of-spear-phishing/
- Phishing: A Very Dangerous Cyber Threat: resources.infosecinstitute.com/phishing-dangerous-cyber-threat/
- Securelist’s “Spam: fetaures of the quarter”: Q1 in 2015, Q3 in 2015
- Ubuntu Wiki on Antiviruses: https://help.ubuntu.com/community/Antivirus
- Careto (the Mask): long-running, sophisticated APT malware: http://boingboing.net/2014/02/11/careto-the-mask-long-runnin.html
- Linux.Darlloz worm attacks embedded systems: http://boingboing.net/2013/11/28/linux-darlloz-worm-attacks-emb.html
- Linux Webserver Rootkit Attacks Internet Users: http://www.tomshardware.com/news/rootkit-malware-security-software,19271.html
- New Trojan Attacks Linux Servers: http://www.linux-magazine.com/Online/News/New-Trojan-Attacks-Linux-Servers
- How Apple and Amazon Security Flaws Led to My Epic Hacking: http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
- Ransomware threats on the rise in 2015: https://www.intermedia.net/blog/2015/05/27/ransomware-threats-on-the-rise-in-2015/
- Kaspersky Security Bulletin 2015. Overall statistics for 2015: https://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-security-bulletin-2015-overall-statistics-for-2015/
- Linux Ransomware targeting Servers and Threatening Webmasters to Pay: http://thehackernews.com/2015/11/linux-ransomware.html
- Google Code of Conduct: http://investor.google.com/corporate/google-code-of-conduct.html
- Don’t Be Evil [Wikipedia]: https://en.wikipedia.org/wiki/Don’t_be_evil
- Google’s Broken Promise: The End of “Don’t Be Evil”: gizmodo.com/5878987/its-official-google-is-evil-now
- Google Is Evil: http://www.wired.com/2012/06/opinion-google-is-evil/
- How Google is tracking you, and how to avoid it: http://www.ghacks.net/2014/06/02/google-tracking-avoid/
- Don’t Track Us: http://donttrack.us/
- Securing our future – Mikko Hyppönen: http://privacy-pc.com/articles/securing-our-future-mikko-hypponen.html
- Collusion: http://collusion.toolness.org/
- Lightbeam: https://www.mozilla.org/en-US/lightbeam/
- From Radio to Porn, British Spies Track Web Users’ Online Identities: https://theintercept.com/2015/09/25/gchq-radio-porn-spies-track-web-users-online-identities/
- KARMA POLICE: GCHQ’s plan to track every Web user in the world: http://boingboing.net/2015/09/25/karma-police-gchqs-plan-to.html
- The $24 Billion Data Business That Telcos Don’t Want to Talk About: http://adage.com/article/datadriven-marketing/24-billion-data-business-telcos-discuss/301058/
- Mobile carriers make $24B/year selling your secrets: https://boingboing.net/2015/10/28/mobile-carriers-make-24byear.html
- Facebook buys WhatsApp for $19 billion: http://money.cnn.com/2014/02/19/technology/social/facebook-whatsapp/index.htm