How tech companies deceive you into giving up your data and privacy | Finn Lützow-Holm Myrstad

00:13

Do you remember when you were a child,

00:15

you probably had a favorite toy that was a constant companion,

00:19

like Christopher Robin had Winnie the Pooh,

00:21

and your imagination fueled endless adventures?

00:25

What could be more innocent than that?

00:28

Well, let me introduce you to my friend Cayla.

00:34

Cayla was voted toy of the year in countries around the world.

00:38

She connects to the internet and uses speech recognition technology

00:41

to answer your child's questions,

00:43

respond just like a friend.

00:46

But the power doesn't lie with your child's imagination.

00:50

It actually lies with the company harvesting masses of personal information

00:55

while your family is innocently chatting away in the safety of their home,

01:00

a dangerously false sense of security.

01:04

This case sounded alarm bells for me,

01:07

as it is my job to protect consumers' rights in my country.

01:11

And with billions of devices such as cars,

01:15

energy meters and even vacuum cleaners expected to come online by 2020,

01:20

we thought this was a case worth investigating further.

01:24

Because what was Cayla doing

01:26

with all the interesting things she was learning?

01:28

Did she have another friend she was loyal to and shared her information with?

01:33

Yes, you guessed right. She did.

01:36

In order to play with Cayla,

01:38

you need to download an app to access all her features.

01:42

Parents must consent to the terms being changed without notice.

01:47

The recordings of the child, her friends and family,

01:51

can be used for targeted advertising.

01:54

And all this information can be shared with unnamed third parties.

01:59

Enough? Not quite.

02:02

Anyone with a smartphone can connect to Cayla

02:07

within a certain distance.

02:09

When we confronted the company that made and programmed Cayla,

02:14

they issued a series of statements

02:16

that one had to be an IT expert in order to breach the security.

02:22

Shall we fact-check that statement and live hack Cayla together?

02:29

Here she is.

02:32

Cayla is equipped with a Bluetooth device

02:35

which can transmit up to 60 feet,

02:37

a bit less if there's a wall between.

02:40

That means I, or any stranger, can connect to the doll

02:45

while being outside the room where Cayla and her friends are.

02:49

And to illustrate this,

02:51

I'm going to turn Cayla on now.

02:53

Let's see, one, two, three.

02:57

There. She's on. And I asked a colleague

02:59

to stand outside with his smartphone,

03:01

and he's connected,

03:03

and to make this a bit creepier ...

03:05

(Laughter)

03:09

let's see what kids could hear Cayla say in the safety of their room.

03:15

Man: Hi. My name is Cayla. What is yours?

03:18

Finn Myrstad: Uh, Finn.

03:20

Man: Is your mom close by?

03:22

FM: Uh, no, she's in the store.

03:24

Man: Ah. Do you want to come out and play with me?

03:27

FM: That's a great idea.

03:29

Man: Ah, great.

03:32

FM: I'm going to turn Cayla off now.

03:34

(Laughter)

03:39

We needed no password

03:41

or to circumvent any other type of security to do this.

03:46

We published a report in 20 countries around the world,

03:50

exposing this significant security flaw

03:53

and many other problematic issues.

03:56

So what happened?

03:57

Cayla was banned in Germany,

04:00

taken off the shelves by Amazon and Wal-Mart,

04:03

and she's now peacefully resting

04:06

at the German Spy Museum in Berlin.

04:10

(Laughter)

04:13

However, Cayla was also for sale in stores around the world

04:17

for more than a year after we published our report.

04:21

What we uncovered is that there are few rules to protect us

04:25

and the ones we have are not being properly enforced.

04:30

We need to get the security and privacy of these devices right

04:33

before they enter the market,

04:36

because what is the point of locking a house with a key

04:40

if anyone can enter it through a connected device?

04:45

You may well think, "This will not happen to me.

04:48

I will just stay away from these flawed devices."

04:52

But that won't keep you safe,

04:54

because simply by connecting to the internet,

04:57

you are put in an impossible take-it-or-leave-it position.

05:02

Let me show you.

05:04

Like most of you, I have dozens of apps on my phone,

05:07

and used properly, they can make our lives easier,

05:10

more convenient and maybe even healthier.

05:13

But have we been lulled into a false sense of security?

05:18

It starts simply by ticking a box.

05:21

Yes, we say,

05:23

I've read the terms.

05:27

But have you really read the terms?

05:31

Are you sure they didn't look too long

05:33

and your phone was running out of battery,

05:35

and the last time you tried they were impossible to understand,

05:38

and you needed to use the service now?

05:41

And now, the power imbalance is established,

05:45

because we have agreed to our personal information

05:49

being gathered and used on a scale we could never imagine.

05:53

This is why my colleagues and I decided to take a deeper look at this.

05:57

We set out to read the terms

06:00

of popular apps on an average phone.

06:03

And to show the world how unrealistic it is

06:07

to expect consumers to actually read the terms,

06:10

we printed them,

06:11

more than 900 pages,

06:14

and sat down in our office and read them out loud ourselves,

06:19

streaming the experiment live on our websites.

06:22

As you can see, it took quite a long time.

06:24

It took us 31 hours, 49 minutes and 11 seconds

06:29

to read the terms on an average phone.

06:31

That is longer than a movie marathon of the "Harry Potter" movies

06:36

and the "Godfather" movies combined.

06:38

(Laughter)

06:41

And reading is one thing.

06:43

Understanding is another story.

06:45

That would have taken us much, much longer.

06:49

And this is a real problem,

06:50

because companies have argued for 20 to 30 years

06:54

against regulating the internet better,

06:57

because users have consented to the terms and conditions.

07:02

As we've shown with this experiment,

07:04

achieving informed consent is close to impossible.

07:09

Do you think it's fair to put the burden of responsibility on the consumer?

07:14

I don't.

07:15

I think we should demand less take-it-or-leave-it

07:18

and more understandable terms before we agree to them.

07:22

(Applause)

07:23

Thank you.

07:28

Now, I would like to tell you a story about love.

07:34

Some of the world's most popular apps are dating apps,

07:37

an industry now worth more than, or close to, three billion dollars a year.

07:43

And of course, we're OK sharing our intimate details

07:47

with our other half.

07:49

But who else is snooping,

07:51

saving and sharing our information

07:54

while we are baring our souls?

07:56

My team and I decided to investigate this.

08:00

And in order to understand the issue from all angles

08:03

and to truly do a thorough job,

08:07

I realized I had to download

08:09

one of the world's most popular dating apps myself.

08:14

So I went home to my wife ...

08:16

(Laughter)

08:18

who I had just married.

08:20

"Is it OK if I establish a profile on a very popular dating app

08:25

for purely scientific purposes?"

08:26

(Laughter)

08:28

This is what we found.

08:30

Hidden behind the main menu was a preticked box

08:34

that gave the dating company access to all my personal pictures on Facebook,

08:40

in my case more than 2,000 of them,

08:43

and some were quite personal.

08:46

And to make matters worse,

08:48

when we read the terms and conditions,

08:50

we discovered the following,

08:52

and I'm going to need to take out my reading glasses for this one.

08:56

And I'm going to read it for you, because this is complicated.

08:59

All right.

09:01

"By posting content" --

09:03

and content refers to your pictures, chat

09:05

and other interactions in the dating service --

09:07

"as a part of the service,

09:08

you automatically grant to the company,

09:10

its affiliates, licensees and successors

09:12

an irrevocable" -- which means you can't change your mind --

09:16

"perpetual" -- which means forever --

09:19

"nonexclusive, transferrable, sublicensable, fully paid-up,

09:22

worldwide right and license to use, copy, store, perform,

09:24

display, reproduce, record,

09:26

play, adapt, modify and distribute the content,

09:28

prepare derivative works of the content,

09:30

or incorporate the content into other works

09:32

and grant and authorize sublicenses of the foregoing in any media

09:35

now known or hereafter created."

09:40

That basically means that all your dating history

09:44

and everything related to it can be used for any purpose for all time.

09:50

Just imagine your children seeing your sassy dating photos

09:55

in a birth control ad 20 years from now.

10:00

But seriously, though --

10:01

(Laughter)

10:04

what might these commercial practices mean to you?

10:08

For example, financial loss:

10:11

based on your web browsing history,

10:13

algorithms might decide whether you will get a mortgage or not.

10:16

Subconscious manipulation:

10:19

companies can analyze your emotions based on your photos and chats,

10:23

targeting you with ads when you are at your most vulnerable.

10:26

Discrimination:

10:28

a fitness app can sell your data to a health insurance company,

10:31

preventing you from getting coverage in the future.

10:34

All of this is happening in the world today.

10:37

But of course, not all uses of data are malign.

10:41

Some are just flawed or need more work,

10:43

and some are truly great.

10:47

And there is some good news as well.

10:51

The dating companies changed their policies globally

10:54

after we filed a legal complaint.

10:57

But organizations such as mine

11:00

that fight for consumers' rights can't be everywhere.

11:03

Nor can consumers fix this on their own,

11:06

because if we know that something innocent we said

11:09

will come back to haunt us,

11:11

we will stop speaking.

11:13

If we know that we are being watched and monitored,

11:16

we will change our behavior.

11:18

And if we can't control who has our data and how it is being used,

11:22

we have lost the control of our lives.

11:26

The stories I have told you today are not random examples.

11:29

They are everywhere,

11:31

and they are a sign that things need to change.

11:34

And how can we achieve that change?

11:36

Well, companies need to realize that by prioritizing privacy and security,

11:42

they can build trust and loyalty to their users.

11:46

Governments must create a safer internet

11:49

by ensuring enforcement and up-to-date rules.

11:53

And us, the citizens?

11:55

We can use our voice

11:57

to remind the world that technology can only truly benefit society

12:02

if it respects basic rights.

12:05

Thank you so much.

12:07

(Applause)