VIDEO
HIGHLIGHT
Log InSign up
La trouvaille glaçante d'un journaliste sur nos téléphones
SummaryTranscriptChat

La trouvaille glaçante d'un journaliste sur nos téléphones

Exploring Data Privacy Risks

Introduction to the Investigation

  • A few weeks ago, agents from DGSI, DGSE, and GIN were located not through surveillance or hacking but by installing common applications on their phones.
  • Journalists from Le Monde sought to uncover where data goes when these apps are installed, leading them to a disturbing advertising database.

Key Findings of the Investigation

  • Martin Undersinger, one of the journalists involved in this explosive investigation, discusses how they identified sensitive agents and the uncontrollable nature of data markets.
  • The investigation is part of a series that began in 2017 focusing on personal data extracted from mobile devices; it aims to understand implications for individuals in sensitive professions.

Data Analysis and Implications

  • They obtained a database containing 16 million French advertising identifiers and analyzed geolocated data from DGSE premises.
  • Hundreds of phones were found pinging within DGSE locations, raising concerns about tracking personnel's movements outside work environments.

Broader Security Concerns

  • The ease of identifying home addresses and personal activities of sensitive job holders poses significant risks for national security personnel like those at DGSI and GIGN.
  • Specific instances included tracking phones near critical locations such as Élysée Palace and military bases, highlighting vulnerabilities in protecting high-profile individuals.

Conclusion on Data Vulnerability

  • While public figures' movements may be known through official channels, the real danger lies in exposing private details about their protectors.
  • The investigation confirmed that many identified residences belonged to actual members working within sensitive government agencies.

Understanding a Massive CSV Dataset

Overview of the CSV Data

  • The dataset consists of a large CSV file containing 16 million rows, which raises questions about its contents and acquisition.
  • The data was sourced from a commercial sample provided by a personal data broker, whose role is to collect, aggregate, and resell advertising data to industry players.

Acquisition Process

  • The speaker mentions that they did not identify themselves as journalists when requesting the sample; it was relatively easy to obtain after demonstrating business relevance.
  • The accuracy of the geolocation data varies; for this investigation, 80-90% of the data was derived from precise GPS locations.

Data Characteristics

  • Other datasets may use IP addresses for geolocation, resulting in less accurate city-level information.
  • Information such as application names and user agents can help deduce interests even without direct geolocation.

Correlation and Analysis

  • The dataset allows for correlation analysis based on location; however, specific individual preferences (e.g., food choices) are not directly visible in this dataset.
  • Brokers utilize such correlations to target specific demographics effectively for advertising purposes.

Security Implications

  • The discussion highlights potential security risks where sensitive information about individuals (like security agents' interests) could be exploited.
  • An alarming example is given where tracking revealed detailed movements of an individual associated with law enforcement, raising concerns about privacy breaches.

Precision of Geolocation Data

  • Advanced triangulation methods can pinpoint device locations within 3 to 4 meters, allowing insights into specific areas within homes.
  • Questions arise regarding the origins of these datasets; while this particular dataset lacks source information, previous investigations have shown that any app requesting geolocation can contribute data if users consent.

Conclusion on Data Usage

  • Users often unknowingly agree to share their location when using applications. This collected data is then utilized in various ways across advertising markets.

Geolocation and Data Privacy in Mobile Applications

The Role of Geolocation in Apps

  • Geolocation is a fundamental feature of many applications, exemplified by Google Maps, which tracks users' locations continuously. This raises concerns about data privacy and potential misuse by app developers.
  • Developers often integrate tools like Google Analytics through SDKs (Software Development Kits) to gather user statistics, which can lead to the monetization of user data through advertisements.

Data Collection and User Awareness

  • Users may not fully understand who collects their geolocation data when they grant permission to an app. Terms of service often list numerous companies that could potentially access this information.
  • The complexity arises from the fact that data can be collected by third parties not directly associated with the app itself, complicating transparency for users regarding their data's journey.

Advertising Market Dynamics

  • Online advertising operates through marketplaces where advertisers bid on user attention based on location and profile information. This process can lead to widespread dissemination of personal data without user consent.
  • While best practices suggest that advertisers should not retain personal information post-auction, some entities do store this data, creating extensive databases without direct ties to the original application.

User Consent and Tracking Limitations

  • Users might assume that only the game developer manages ads within a mobile game; however, developers often rely on external SDKs for ad revenue generation, leading to broader tracking than anticipated.
  • Recent iOS updates have introduced features aimed at limiting tracking capabilities for apps that continuously access geolocation in the background, indicating a shift towards greater user privacy protection.

Ongoing Conflicts Between Tech Giants and Advertisers

  • A conflict exists between major tech companies like Apple and Google versus advertising firms over data accessibility. Advertisers seek comprehensive datasets while tech companies aim to restrict such access for privacy reasons.
  • Continuous geolocation tracking is typically limited; most users do not share their location indefinitely due to app inactivity or settings adjustments, resulting in incomplete datasets for advertisers.

Case Studies: Real-world Implications

  • Specific applications like Le Bon Coin have been noted for sharing GPS-based geolocation data with brokers. However, responsibility may be diffuse as secondary actors can acquire this information without direct involvement from the primary app provider.
  • The challenge lies in identifying specific apps involved in these datasets due to frequent changes in policies and practices surrounding data sharing among various stakeholders within digital marketplaces.

By understanding these dynamics around geolocation and privacy issues within mobile applications, users can make more informed decisions about their digital interactions.

Understanding Data Privacy and Consent

The Role of Apps in Data Collection

  • Discussion on the monetization of weather apps through advertising, highlighting the necessity for data collection to generate revenue.
  • Mention of language learning apps like Word Beat, illustrating how users often overlook data privacy concerns when using seemingly harmless applications.

Challenges in Data Traceability

  • An example from "Le Monde" where user data was extracted without clear traceability, raising questions about data ownership and transparency.
  • Legal complexities surrounding personal data collection; emphasis on consent as a critical factor for legality.

Understanding Consent in Data Usage

  • Explanation of what constitutes valid consent under data protection laws, stressing that it must be informed and specific rather than vague or generalized.
  • Clarification that consent should not be bundled with multiple options but should be explicit for each use case.

Issues with Current Practices

  • Critique of companies claiming GDPR compliance while failing to provide clear information on how user data is utilized.
  • Highlighting the lack of accountability among companies regarding user consent, leading to widespread confusion and mistrust.

Fragmentation and Enforcement Challenges

  • Discussion on the fragmented nature of the ecosystem where even if sanctions are imposed, they often target smaller players rather than major corporations like Facebook or Google.
  • Noting that many startups can evade consequences by rebranding after being penalized, perpetuating problematic practices within the industry.

The Broader Implications of Data Use

  • Insight into how collected datasets are utilized beyond advertising; mentioning law enforcement's interest in accessing these datasets for surveillance purposes.
  • Description of companies operating covertly to gather and sell user data to authorities, emphasizing ethical concerns surrounding such practices.

Advertising and Surveillance: The Intersection of Technology and Privacy

Exploiting Advertising for Espionage

  • The discussion begins with the concept of retrieving advertising identifiers, which can be used to track individuals based on their location and time. This method highlights how advertisements serve as a direct attack surface on mobile devices.
  • Mobile browsers are continuously patched for vulnerabilities, yet they remain susceptible due to their nature of displaying external content, making them significant targets for exploitation.
  • Companies specializing in spyware leverage advertising data to target users. They inform clients that by obtaining an advertising identifier, they can deliver malicious ads directly to specific individuals.
  • The automated bidding system in online advertising allows targeting based on broad demographics or specific identifiers. High bids can be placed on individual advertising identifiers, raising concerns among authorities about privacy violations.

Concerns Over Sophisticated Spyware

  • The National Cybersecurity Agency (ANSSI) has raised alarms regarding sophisticated spyware like Pegasus, which exploits unknown vulnerabilities in software such as Apple’s systems to infiltrate devices.
  • Two main technical challenges exist for spyware developers: finding software vulnerabilities and establishing effective vectors for delivery. Early methods required user interaction (e.g., clicking links), while advanced techniques have evolved into zero-click exploits.
  • Zero-click exploits allow attackers to infiltrate devices without any action from the target. For instance, initiating a WhatsApp call could trigger an exploit during preliminary exchanges between devices.

Advertising Intelligence as a Surveillance Tool

  • Similarities are drawn between exploiting browser vulnerabilities through advertisements and other forms of communication like WhatsApp. Both methods involve leveraging external code execution opportunities within applications.
  • Even if malware delivery via ads fails, intelligence agencies still find value in tracking user behavior through collected data—this practice is referred to as "advertising intelligence."
  • Companies like Fog Reveal offer services that allow clients (often security agents) to track individuals using advertising identifiers at substantial monthly fees, illustrating the monetization of surveillance capabilities without extensive data collection efforts.

Locate X and Sensitive Data Collection

The Issue of Sensitive Data Tracking

  • Discussion on "Locate X" by Bubble Street, which tracks individuals visiting abortion clinics in states where it is criminalized. This raises ethical concerns about data privacy.
  • Emphasis on the sensitivity of personal data, highlighting that it affects not only sensitive personnel but everyone, including investigative journalists in authoritarian regimes.

Potential Risks and Dystopian Scenarios

  • The potential for personal data to be used against individuals poses significant risks, especially for vulnerable populations.
  • Example given of insurance companies potentially monitoring lunch choices (e.g., fast food vs. healthy options), leading to financial incentives or penalties based on lifestyle choices.

Responsibility and Awareness

  • Raises the question of what actions can be taken to mitigate risks associated with data exposure.
  • Suggestion that individuals should take responsibility by managing app permissions and regularly resetting advertising identifiers, though this may not be realistic for all users.

Challenges in Implementing Security Measures

  • Difficulty in providing clear security guidelines due to practical challenges faced by employees who must balance work and personal life while adhering to security protocols.
  • Mention of specific cases where following security advice (like leaving phones in vehicles at sensitive locations) does not effectively prevent data tracking.

Organizational Awareness and Limitations

  • Organizations like DGSE are aware of these issues but face recruitment challenges when imposing strict phone policies on employees.
  • Discussion on how organizations manage sensitive information about their employees to prevent coercion or pressure from hostile entities.

Practical Steps for Individuals

  • For everyday users, being cautious about sharing location data is crucial; however, there are limited options beyond reducing app usage.
  • Developers are encouraged to refer to guidelines from ACNIL for best practices regarding user data protection.

What Did the FBI Find in the Basement?

Discussion on Application Editors and Legal Implications

  • The conversation highlights that it is the application editor who decides what to include in their software, emphasizing user agency in selection.
  • Legally, users are responsible for their choices regarding applications, indicating a significant personal accountability aspect.
  • A recommendation is made to check out a specific segment about findings by the FBI in a house's basement, hinting at intriguing discoveries related to technology.
  • Mention of rows of computers that are not used for Bitcoin mining suggests an unexpected or misleading use of technology found by authorities.
Video description

Vos données de localisation sont en vente : l'envers du marché publicitaire. ➤ Découvrir Incogni : https://incogni.com/underscore et utilisez le code UNDERSCORE pour une réduction de 60% sur l'abonnement annuel. Merci à Incogni pour cette collaboration commerciale. 🎧 Nos vidéos sont aussi disponibles en podcast ! Apple Podcast : https://podcasts.apple.com/fr/podcast/underscore/id1556250107 Spotify : https://open.spotify.com/show/1sz1NhoHqbpXbzNlpOnFoz Deezer : https://www.deezer.com/fr/show/2379352 (et les autres plateformes) 📕 Resources : - Article du Monde : https://www.lemonde.fr/pixels/article/2025/12/10/espions-policiers-ou-militaires-d-elite-francais-trahis-par-les-donnees-publicitaires-de-leurs-smartphones_6656694_4408996.html - Livre de Martin : Espionner, mentir, détruire - Edition Grasset (Prix Albert Londres du livre 2024) https://www.grasset.fr/livre/espionner-mentir-detruire-9782246828075/ 👀 Vidéos recommandées : https://youtu.be/qc5bFkNj2XQ Producteur : Michaël de Marliave Rédacteur en chef : Matthieu Lambda Réalisateur : Vincent Carbonneau Montage : Keryan Le Provost & Vincent Carbonneau En plateau : Michaël de Marliave, Matthieu Lambda, et Martin Untersinger Directeur commercial : Charles-Antoine d'Adhémar