Data privacy and the reach of big tech into every corner of our lives are vital topics of interest to the general public, who have unwittingly in many cases, signed over unprecedented levels of access to their private lives. David Yanofsky’s investigation of Google’s data-gathering efforts falls squarely into this realm. To assess the scope of Google’s data-gathering on its latest Android operating system, David created a portable internet-connected wifi network that could eavesdrop on and forward data transmissions from three smartphones he carried around different urban centers shopping malls, stores, restaurants, and bars. What emerged was a detailed look at how much Google knows about its Android users (a lot!), and how difficult they make it for those users to understand what data is being shared and when.
What makes this project innovative?
In effect, this story required us to trick a jacket full of android phones into sending encrypted communications through our custom-built system, then parse the raw http traffic into readble files. In practice, we conducted a man-in-the-middle attack in service of our reporting. But this wasn't a standard MITM attack, it was mobile. The whole rig fig inside a backpack which allowed us to see what the phones were transmitting when they were out in the world being used like everyday phones are. Going into and out of stores, riding in cars and on transit, and hanging out in bars, we were able to capture everything our phones were broadcasting back to Google.
What was the impact of your project? How did you measure it?
The story was widely picked up by dozens of outlets and publications, including the Today Show on NBC, Fox News, Wired, Gizmodo, Fast Company, and more. It was viewed more than a million times on Quartz's site, qz.com, making it one of our most read stories of the past year. Google have not yet changed their practices in response to David's investigation, but they indicated that it was something they intend to address, and that our story had sparked "productive conversations" within the company.
Source and methodology
Quartz was able to capture transmissions of Location History information on three phones from different manufacturers, running various recent versions of Android. To accomplish this, we created a portable internet-connected wifi network that could eavesdrop and forward all of the transmissions that the devices connected to it broadcast and received. None of the devices had SIM cards inserted. We walked around urban areas; shopping centers; and into stores, restaurants, and bars. The rig recorded every relevant network request3 made by the Google Pixel 2, Samsung Galaxy S8, and Moto Z Droid that we were carrying.
We used software called SSLSplit on a laptop which accessed the internet through an additional mobile phone connected with a USB cable. The laptop was set up to share that phone's internet connection over the computer's wifi. Any device that connected to the password-protected wifi network was subject to what is known as a man-in-the-middle attack. We captured requests on ports 80, 443, 465, 993, 587, 5222, 5228, and 8443 while allowing requests on other ports to be transmitted without diversion.
We used SSLSplit, custom Python scripts, and of course, the Android operating system on a Google Pixel 2, Samsung Galaxy S8, and Moto Z Droid.