Cybersecurity Blog

Apps sending Facebook your data even if you aren’t a user – 01/07/19


It is reasonable to think that if you don’t have a Facebook account, don’t view their web page or otherwise engage with any of their content that they wouldn’t have access to your personal information.  Think again.  Privacy International just completed an investigation that shows Facebook is routinely tracking users, logged out users and non-users.  That’s right, even if you have not signed up with the blue devil you are still being tracked.

They tested a variety of Android apps and found that at least 61 percent of them transfer data to Facebook the instant the user opens them. This holds true regardless of whether the user has a Facebook account, has opted out of receiving Facebook cookies or is logged onto Facebook. How much data is transferred and the nature of that data depends on the app.  Some simply do a quick check in while others continue to send data as the app is used.

The data is transmitted through Facebook’s SDK (software developer kit) which allows a developer to create an app that  interacts with Facebook. This cool tool also lets users login to an app using their Facebook ID. Spotify, Kayak, Duolingo, Indeed Job Search, Yelp and TripAdvisor were just some of the apps implicated.  As you can see by the list, this problem is not limited to obscure hardly used apps. Many well known apps that you thought you could trust are actually spying on you.

What are you supposed to do with this information? Be aware that if you are using a web based application  or smartphone app that gives you the option of logging in using your Facebook ID, your data may be sent to Facebook even if you don’t have an account. If you want to know how much of your data is being transferred, feel free to contact the developer and ask. With the new privacy regulations coming into effect across the globe, they may actually answer. Once you know what you are giving up, you can decide on whether the data lost is worth the convenience gained.


Buying tech this Christmas? Check out its creepy factor – 11/20/18


This year, there are tons of cool tech gadgets on the market. Everything from teddy bears that connect to the internet to personal alarms. As neat as all of these devices are, some of them have the potential to leave the users feeling exposed and violated.

Thankfully, the good folks at Mozilla have put together a terrific website that examines the privacy risks of the hottest tech gifts. At privacy not included you can find out what information a device collects, what is done with that data and what kind of security the device has. They also rate customer service. To make it extra fun, consumers can give each item a creepiness rating based on how comfortable they would be having that device in their home.  Check it out.


Watch home owners find out their security cameras are being broadcast worldwide – 10/22/18



With more and more of the devices in our home connecting to the internet, comes more and more ways for criminals to hack your home network. To show just how easy it is, CBC’s Marketplace teamed up with some white hat hackers and hacked into the home networks of several Canadian homes.  When home owners were shown how vulnerable their privacy and their networks were, they were shocked and disturbed.  Watch the episode and see how easy your network can be hacked and what you can do to prevent it.

This week’s Cyber Security Challenge draw entry code is l4lnwsrt. This is the last entry code.  Make sure you get all your codes entered before 4:00 pm Oct 30.

Must read – changes to Google Team Drive permissions – 10/11/18


This week Google rolled out the first of two changes to the Google Team Drive permissions.  The names have been changed.  The new names and their permissions are:

  • Manager = full access
  • Contributor =edit access
  • Commenter = comment access
  • Viewer = view access

Please check your Team Drive members list and ensure that the new permissions are correct.  After the name change, I found members who previously had only edit access were  given Manager or full access to the drive.

This week’s contest entry code for the Cyber Security Challenge is w2snl4tr.

Facebook is abusing your phone number – 10/04/18


All of you who have been on the ball and enabled two factor authentication on your Facebook account are about to get really annoyed.  Some researchers have discovered that the same phone number you gave Facebook to secure your account, is being used to target you with advertising.

When Facebook were called out on the practice, they defended it by suggesting users could simply turn off two factor authentication and opt out of the data sharing.  I know what you are thinking. You shouldn’t have to choose between privacy and security. Fortunately, there is a better solution. In May they released a feature called Code Generator.  It allows you to use two factor authentication without using your phone number.

If you are currently using your phone number for two factor authentication  on your Facebook account and don’t want it used for targeting adds, I suggest you switch to the Code Generator.  The added bonus, it works even if you don’t have text messaging or an Internet connection available.

This week’s contest entry code for the Cyber Security Challenge is n1wsl4tr.


Google can track you even if Location History is turned off – 08/15/2018


If you have an Android phone or an IOS phone that has the Google app on it, Google could be following your every move.  Most people are aware that you can turn the Location Services off on your iphone and disable Location reporting on your Android phone.  You may even know how to turn off Location History so Google doesn’t store a record of where you have been.  What you probably don’t know is, Google  has been deceiving you.

AP News has found that when you turn off those services, it only disables the viewable timeline. However every time you open Google Maps, get some weather updates or use Chrome for a search, it tracks you and stores time-stamped location data from your devices.

Fortunately, there is a way to truly turn off the location tracking.  Google buried it deep within their account settings. To keep nosy Google from tracking you in any way:

  1. Open the Google app on your mobile device.
  2. Click the Settings icon in the upper left hand corner.
  3. Select Manage your Google Account.
  4. Select Personal info & privacy.
  5. Select Activity Controls.
  6. Select Web & App Activity.
  7. Click the slider to disable Web & app activity.  It should turn gray.


Using your @mtroyal email for personal stuff? Please don’t. – 07/20/18


On a regular basis, account providers are hacked and their customer data is stolen and put up for sale on the dark web in large data dumps. Usernames and passwords are often included in the information.  As over 30% of users reuse passwords and usernames, once a hacker has that information they can access several accounts.  As part of our ongoing efforts to keep Mount Royal’s data safe, we subscribe to a service that lets us know if any email addresses appear in these lists. If an account provider gets hacked and a user used an email address as a username, we get notified about the breach. This happens about 3.8 times a month. We then force a password change on the account to ensure it stays secure.

Where things get uncomfortable is when users decide to use their email address for personal accounts.  Many account providers who deliver special interest content do not have the best security practices and are often hacked. We really don’t want to know that you belong to the Jelly of the Month Club or you are a member of Poniverse (those are the G-rated ones). Please save us and yourselves the embarrassment.  Use your account for business purposes only.


Fitness app exposes your location – 07/19/18


The fitness app Polar Beat allows you plan your workouts, map out and track your workout, analyze how you did and then share your success with friends. The app has sister application on the web called Polar Flow.  You create one account and get access to two services.

Sharper readers will get that the tracking and sharing your workout idea might not be the best one when it comes to protecting personal safety or privacy.  Thankfully the company offers its users the option of enabling private mode so they can keep their location information private.  At least that is what was thought, then researchers started to poke around.

They found that by accessing the API they could get location and tracking information on anyone with an account, even if they had set that account to private.  This is especially concerning because the researchers decided to see if they could locate foreign intelligence  officers and nuclear storage facilities staff.  They could.  As the app had tracked all their activities, once the researchers found their place of work, it was pretty easy to find their home location as well.  Let that sink in for a minute.

Unfortunately this is not the first time a fitness tracking app has made information public that people probably want made private.  As handy as it is to have your fitness tracker tell you how many calories you burned and how far you have run, you might want to reconsider using a tool that purposely tracks your location.  You never know who might be able to get a hold of the data.

Your TV is tracking you – 07/12/18


If you have a Sony, Sharp, Magnavox, Toshiba or Philips smart TV, Samba Interactive TV is probably installed on it.  It is a service that recommends shows and provides special offers based on your onscreen content,  or at least that is what they tell you. You are asked to enable it when you turn on your new flat screen for the first time.  As 90% of people say yes, it is probably a good bet that you did to.

If you actually read their privacy policy, what it really does is connect to any device on the same network as your smart TV, such as your phone. This allows the service to track you once you leave the house.  So not only is it tracking what you watch, it is also following you as you go to work, pick up your kids, get groceries and go to the movies. Creepy huh? It uses this information to deliver you customized content. However, the data collected can be used not just by Samba, but by their partners as well. Basically anyone Samba likes can see where you spend your time and what you watch on TV. This is the same kind of tracking  other companies such as Facebook, Google and Apple have been criticized for.

Unfortunately Samba Interactive TV isn’t the only service that tracks what viewers watch. In fact Vizio was fined for using the similar automatic content recognition (ACR) technology to deliver targeted content.  With TVs tracking your every move, how do you protect your privacy? Thankfully, Consumer Reports has a list of smart TVs and how to turn off ACR.

This is just another reminder that as consumers we need to take more interest in privacy policies and terms and conditions before we sign up for a service.  We have the right to choose to trade our privacy for convenience. However, before we make that choice we should be aware of exactly what we are giving up and to whom.