How tech companies deceive you into giving up your data and privacy | Finn Lützow-Holm Myrstad
Summary
TLDRThe speaker exposes the privacy and security risks of internet-connected toys like Cayla, which collects personal data, and highlights the lack of consumer protection. They demonstrate how easily Cayla can be hacked, leading to bans and store removals. The talk extends to app privacy, revealing the unrealistic expectations placed on users to read and understand lengthy, complex terms and conditions. The speaker advocates for clearer terms, better enforcement of privacy laws, and prioritizing security to build consumer trust.
Takeaways
- 🐻 Cayla, an internet-connected toy, was named Toy of the Year but was found to be collecting personal data from children without their or their parents' knowledge.
- 🔒 The toy's connectivity allowed strangers within range to connect to it, posing a significant security risk to children's privacy.
- 📱 The speaker highlighted the broader issue of billions of devices expected to be online by 2020, raising concerns about data privacy and security.
- 📑 The terms and conditions of apps and devices often allow for the collection and use of personal data without clear consent from users.
- 🌐 The speaker's team conducted an experiment to read out loud the terms of apps on an average phone, taking over 31 hours, emphasizing the impracticality of expecting users to read them.
- 🚫 Despite the security flaws, Cayla was sold worldwide for over a year after the report, indicating weak enforcement of privacy regulations.
- 💔 The speaker critiqued the lack of transparency and fairness in how personal data is used, manipulated, and potentially exploited by companies.
- ❤️ The story of a popular dating app was used to illustrate how personal and intimate data can be exploited, with broad permissions granted to the company in the terms and conditions.
- 🏦 The implications of data exploitation can lead to financial loss, subconscious manipulation, and discrimination against individuals.
- 🌟 Positive change can be achieved when companies prioritize privacy, governments enforce regulations, and citizens demand respect for their rights.
Q & A
What was Cayla, the toy mentioned in the script, known for?
-Cayla was a toy that connected to the internet and used speech recognition technology to interact with children, answering their questions and responding like a friend. It was voted toy of the year in various countries.
What privacy concerns were raised about Cayla?
-Cayla raised privacy concerns because it was found to be collecting and potentially sharing personal information from children and their families without proper security measures, allowing anyone with a smartphone to connect to the toy within a certain distance.
What actions were taken against Cayla after the investigation?
-Following the investigation, Cayla was banned in Germany, taken off the shelves by major retailers like Amazon and Wal-Mart, and is now on display at the German Spy Museum in Berlin.
How long did it take the speaker's team to read the terms and conditions of an average phone?
-It took the speaker's team 31 hours, 49 minutes, and 11 seconds to read the terms and conditions of an average phone.
Why did the speaker's team read the terms and conditions out loud?
-The speaker's team read the terms and conditions out loud to demonstrate the unrealistic expectation placed on consumers to read and understand these lengthy and complex documents before using apps.
What was the outcome of the speaker's experiment with dating apps?
-The speaker found that dating apps had a pre-ticked box granting them access to personal pictures and other data, with terms and conditions that allowed for perpetual and irrevocable use of that content.
What potential risks were associated with the data collection by dating apps as mentioned in the script?
-The potential risks included financial loss based on web browsing history, subconscious manipulation through targeted ads during vulnerable moments, and discrimination such as being denied health insurance coverage due to data sold by fitness apps.
What change did the dating companies make after the legal complaint?
-Following the legal complaint, the dating companies changed their policies globally to address the privacy concerns raised by the speaker's team.
What is the speaker's call to action for companies, governments, and citizens?
-The speaker calls for companies to prioritize privacy and security, governments to create a safer internet with up-to-date rules, and citizens to use their voice to remind the world that technology should respect basic rights.
What is the main argument the speaker is making about technology and privacy?
-The main argument the speaker is making is that technology can only benefit society if it respects basic rights, including privacy and security, and that there is a need for change in how data is collected, used, and protected.
Outlines
🤖 The Dark Side of Smart Toys
The speaker introduces Cayla, an internet-connected toy that was voted toy of the year, highlighting the privacy and security concerns associated with such devices. Cayla uses speech recognition to interact with children but is also capable of collecting personal information, which the company can use for targeted advertising and share with third parties. The toy's Bluetooth connectivity allows anyone within range to connect to it, posing a potential risk to children. The speaker demonstrates this vulnerability by having a colleague connect to Cayla from outside the room and manipulate it to ask a child to come out and play. The toy's security flaws led to it being banned in Germany and removed from major retailers' shelves, but it remained on sale in other parts of the world for over a year after the report was published. The speaker emphasizes the need for better security and privacy regulations for smart devices before they reach the market.
📱 The Illusion of Informed Consent in App Terms
The speaker discusses the issue of informed consent in the context of app usage, pointing out that users often agree to terms and conditions without fully understanding them. To illustrate this, the speaker's team conducted an experiment where they printed and read aloud the terms of popular apps, which amounted to over 900 pages and took more than 31 hours to read. The speaker argues that achieving informed consent is nearly impossible due to the length and complexity of these terms. They also highlight the imbalance of power that arises when companies gather and use personal information on a massive scale based on users' consent. The speaker calls for more understandable terms and less take-it-or-leave-it approaches to data privacy and security.
❤️ Privacy Issues in the Dating App Industry
The speaker shares a personal anecdote about creating a profile on a popular dating app for research purposes, despite being newly married. They discovered that the app had a pre-ticked box granting it access to all personal pictures on Facebook, which could number in the thousands. Upon reviewing the app's terms and conditions, they found that users grant the company an irrevocable, perpetual, worldwide license to use their content in any way they see fit. This could lead to personal data being used for financial decisions, subconscious manipulation through targeted ads, or discrimination by selling data to health insurance companies. The speaker concludes by emphasizing the importance of privacy and security in building trust with users and calls for companies to prioritize these aspects to foster loyalty. They also stress the need for governments to ensure a safer internet with up-to-date rules and for citizens to use their voices to advocate for technology that respects basic rights.
Mindmap
Keywords
💡Cayla
💡Internet of Things (IoT)
💡Speech Recognition Technology
💡Personal Information
💡Targeted Advertising
💡Terms and Conditions
💡Bluetooth
💡Consumer Rights
💡Data Privacy
💡Informed Consent
💡Dating Apps
Highlights
Cayla, an internet-connected toy, was voted toy of the year but was found to be harvesting personal information.
The toy's speech recognition technology could be exploited to collect data from children and their families.
Cayla's app required parental consent to terms that allowed for data collection and sharing with third parties.
The toy could be connected to by anyone with a smartphone within range, posing a security risk.
A live hack demonstrated how easy it was to connect to Cayla from outside the room.
The company claimed that only IT experts could breach Cayla's security, which was disproven during the live hack.
As a result of the investigation, Cayla was banned in Germany and removed from shelves by major retailers.
The speaker's team read the terms of popular apps aloud, taking over 31 hours, to show the impracticality of user consent.
The dating app investigation revealed that users grant perpetual rights to their content upon joining.
The dating app's terms allowed for the use of personal data in ads and other commercial practices.
The potential misuse of personal data can lead to financial loss, subconscious manipulation, and discrimination.
The dating companies changed their policies globally following a legal complaint filed by the speaker's organization.
The speaker argues that companies should prioritize privacy and security to build trust with users.
Governments are urged to create a safer internet by ensuring enforcement and up-to-date rules.
Citizens are encouraged to use their voice to remind the world that technology should respect basic rights.
Transcripts
Do you remember when you were a child,
you probably had a favorite toy that was a constant companion,
like Christopher Robin had Winnie the Pooh,
and your imagination fueled endless adventures?
What could be more innocent than that?
Well, let me introduce you to my friend Cayla.
Cayla was voted toy of the year in countries around the world.
She connects to the internet and uses speech recognition technology
to answer your child's questions,
respond just like a friend.
But the power doesn't lie with your child's imagination.
It actually lies with the company harvesting masses of personal information
while your family is innocently chatting away in the safety of their home,
a dangerously false sense of security.
This case sounded alarm bells for me,
as it is my job to protect consumers' rights in my country.
And with billions of devices such as cars,
energy meters and even vacuum cleaners expected to come online by 2020,
we thought this was a case worth investigating further.
Because what was Cayla doing
with all the interesting things she was learning?
Did she have another friend she was loyal to and shared her information with?
Yes, you guessed right. She did.
In order to play with Cayla,
you need to download an app to access all her features.
Parents must consent to the terms being changed without notice.
The recordings of the child, her friends and family,
can be used for targeted advertising.
And all this information can be shared with unnamed third parties.
Enough? Not quite.
Anyone with a smartphone can connect to Cayla
within a certain distance.
When we confronted the company that made and programmed Cayla,
they issued a series of statements
that one had to be an IT expert in order to breach the security.
Shall we fact-check that statement and live hack Cayla together?
Here she is.
Cayla is equipped with a Bluetooth device
which can transmit up to 60 feet,
a bit less if there's a wall between.
That means I, or any stranger, can connect to the doll
while being outside the room where Cayla and her friends are.
And to illustrate this,
I'm going to turn Cayla on now.
Let's see, one, two, three.
There. She's on. And I asked a colleague
to stand outside with his smartphone,
and he's connected,
and to make this a bit creepier ...
(Laughter)
let's see what kids could hear Cayla say in the safety of their room.
Man: Hi. My name is Cayla. What is yours?
Finn Myrstad: Uh, Finn.
Man: Is your mom close by?
FM: Uh, no, she's in the store.
Man: Ah. Do you want to come out and play with me?
FM: That's a great idea.
Man: Ah, great.
FM: I'm going to turn Cayla off now.
(Laughter)
We needed no password
or to circumvent any other type of security to do this.
We published a report in 20 countries around the world,
exposing this significant security flaw
and many other problematic issues.
So what happened?
Cayla was banned in Germany,
taken off the shelves by Amazon and Wal-Mart,
and she's now peacefully resting
at the German Spy Museum in Berlin.
(Laughter)
However, Cayla was also for sale in stores around the world
for more than a year after we published our report.
What we uncovered is that there are few rules to protect us
and the ones we have are not being properly enforced.
We need to get the security and privacy of these devices right
before they enter the market,
because what is the point of locking a house with a key
if anyone can enter it through a connected device?
You may well think, "This will not happen to me.
I will just stay away from these flawed devices."
But that won't keep you safe,
because simply by connecting to the internet,
you are put in an impossible take-it-or-leave-it position.
Let me show you.
Like most of you, I have dozens of apps on my phone,
and used properly, they can make our lives easier,
more convenient and maybe even healthier.
But have we been lulled into a false sense of security?
It starts simply by ticking a box.
Yes, we say,
I've read the terms.
But have you really read the terms?
Are you sure they didn't look too long
and your phone was running out of battery,
and the last time you tried they were impossible to understand,
and you needed to use the service now?
And now, the power imbalance is established,
because we have agreed to our personal information
being gathered and used on a scale we could never imagine.
This is why my colleagues and I decided to take a deeper look at this.
We set out to read the terms
of popular apps on an average phone.
And to show the world how unrealistic it is
to expect consumers to actually read the terms,
we printed them,
more than 900 pages,
and sat down in our office and read them out loud ourselves,
streaming the experiment live on our websites.
As you can see, it took quite a long time.
It took us 31 hours, 49 minutes and 11 seconds
to read the terms on an average phone.
That is longer than a movie marathon of the "Harry Potter" movies
and the "Godfather" movies combined.
(Laughter)
And reading is one thing.
Understanding is another story.
That would have taken us much, much longer.
And this is a real problem,
because companies have argued for 20 to 30 years
against regulating the internet better,
because users have consented to the terms and conditions.
As we've shown with this experiment,
achieving informed consent is close to impossible.
Do you think it's fair to put the burden of responsibility on the consumer?
I don't.
I think we should demand less take-it-or-leave-it
and more understandable terms before we agree to them.
(Applause)
Thank you.
Now, I would like to tell you a story about love.
Some of the world's most popular apps are dating apps,
an industry now worth more than, or close to, three billion dollars a year.
And of course, we're OK sharing our intimate details
with our other half.
But who else is snooping,
saving and sharing our information
while we are baring our souls?
My team and I decided to investigate this.
And in order to understand the issue from all angles
and to truly do a thorough job,
I realized I had to download
one of the world's most popular dating apps myself.
So I went home to my wife ...
(Laughter)
who I had just married.
"Is it OK if I establish a profile on a very popular dating app
for purely scientific purposes?"
(Laughter)
This is what we found.
Hidden behind the main menu was a preticked box
that gave the dating company access to all my personal pictures on Facebook,
in my case more than 2,000 of them,
and some were quite personal.
And to make matters worse,
when we read the terms and conditions,
we discovered the following,
and I'm going to need to take out my reading glasses for this one.
And I'm going to read it for you, because this is complicated.
All right.
"By posting content" --
and content refers to your pictures, chat
and other interactions in the dating service --
"as a part of the service,
you automatically grant to the company,
its affiliates, licensees and successors
an irrevocable" -- which means you can't change your mind --
"perpetual" -- which means forever --
"nonexclusive, transferrable, sublicensable, fully paid-up,
worldwide right and license to use, copy, store, perform,
display, reproduce, record,
play, adapt, modify and distribute the content,
prepare derivative works of the content,
or incorporate the content into other works
and grant and authorize sublicenses of the foregoing in any media
now known or hereafter created."
That basically means that all your dating history
and everything related to it can be used for any purpose for all time.
Just imagine your children seeing your sassy dating photos
in a birth control ad 20 years from now.
But seriously, though --
(Laughter)
what might these commercial practices mean to you?
For example, financial loss:
based on your web browsing history,
algorithms might decide whether you will get a mortgage or not.
Subconscious manipulation:
companies can analyze your emotions based on your photos and chats,
targeting you with ads when you are at your most vulnerable.
Discrimination:
a fitness app can sell your data to a health insurance company,
preventing you from getting coverage in the future.
All of this is happening in the world today.
But of course, not all uses of data are malign.
Some are just flawed or need more work,
and some are truly great.
And there is some good news as well.
The dating companies changed their policies globally
after we filed a legal complaint.
But organizations such as mine
that fight for consumers' rights can't be everywhere.
Nor can consumers fix this on their own,
because if we know that something innocent we said
will come back to haunt us,
we will stop speaking.
If we know that we are being watched and monitored,
we will change our behavior.
And if we can't control who has our data and how it is being used,
we have lost the control of our lives.
The stories I have told you today are not random examples.
They are everywhere,
and they are a sign that things need to change.
And how can we achieve that change?
Well, companies need to realize that by prioritizing privacy and security,
they can build trust and loyalty to their users.
Governments must create a safer internet
by ensuring enforcement and up-to-date rules.
And us, the citizens?
We can use our voice
to remind the world that technology can only truly benefit society
if it respects basic rights.
Thank you so much.
(Applause)
5.0 / 5 (0 votes)