Lock and Code

• Is your phone listening to you? (feat. Lena Cohen)

  It has probably happened to you before.You and a friend are talking—not texting, not DMing, not FaceTiming—but talking, physically face-to-face, about, say, an upcoming vacation, a new music festival, or a job offer you just got.And then, that same week, you start noticing some eerily specific ads. There’s the Instagram ad about carry-on luggage, the TikTok ad about earplugs, and the countless ads you encounter simply scrolling through the internet about laptop bags.And so you think, “Is my phone listening to me?”This question has been around for years and, today, it’s far from a conspiracy theory. Modern smartphones can and do listen to users for voice searches, smart assistant integration, and, obviously, phone calls. It’s not too outlandish to believe, then, that the microphones on smartphones could be used to listen to other conversations without users knowing about it.Recent news stories don’t help, either.In January, Apple agreed to pay $95 million to settle a lawsuit alleging that the company had eavesdropped on users’ conversations through its smart assistant Siri, and that it shared the recorded conversations with marketers for ad targeting. The lead plaintiff in the case specifically claimed that she and her daughter were recorded without their consent, which resulted in them receiving multiple ads for Air Jordans.In agreeing to pay the settlement, though, Apple denied any wrongdoing, with a spokesperson telling the BBC:“Siri data has never been used to build marketing profiles and it has never been sold to anyone for any purpose.”But statements like this have done little to ease public anxiety. Tech companies have been caught in multiple lies in the past, privacy invasions happen thousands of times a day, and ad targeting feels extreme entirely because it is.Where, then, does the truth lie?Today, on the Lock and Code podcast with David Ruiz, we speak with Electronic Frontier Foundation Staff Technologist Lena Cohen about the most mind-boggling forms of corporate surveillance—including an experimental ad-tracking technology that emitted ultrasonic sound waves—specific audience segments that marketing companies make when targeting people with ads, and, of course, whether our phones are really listening to us.“Companies are collecting so much information about us and in such covert ways that it really feels like they’re listening to us.”Tune in today.You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)Listen up—Malwarebytes doesn't just talk cybersecurity, we provide it.Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer...

  --------  

  40:10
• What Google Chrome knows about you, with Carey Parker

  Google Chrome is, by far, the most popular web browser in the world.According to several metrics, Chrome accounts for anywhere between 52% and 66% of the current global market share for web browser use. At that higher estimate, that means that, if the 5.5 billion internet users around the world were to open up a web browser right now, 3.6 billion of them would open up Google Chrome.And because the browser is the most common portal to our daily universe of online activity—searching for answers to questions, looking up recipes, applying for jobs, posting on forums, accessing cloud applications, reading the news, comparing prices, recording Lock and Code, buying concert tickets, signing up for newsletters—then the company that controls that browser likely knows a lot about its users.In the case of Google Chrome, that’s entirely true.Google Chrome knows the websites you visit, the searches you make (through Google), the links you click, and the device model you use, along with the version of Chrome you run. That may sound benign, but when collected over long periods of time, and when coupled with the mountains of data that other Google products collect about you, this wealth of data can paint a deeply intimate portrait of your life.Today, on the Lock and Code podcast with host David Ruiz, we speak with author, podcast host, and privacy advocate Carey Parker about what Google Chrome knows about you, why that data is sensitive, what “Incognito mode” really does, and what you can do in response.We also explain exactly why Google would want this money, and that’s to help it run as an ad company.“That’s what [Google is]. Full stop. Google is an ad company who just happens to make a web browser, and a search engine, and an email app, and a whole lot more than that.”Tune in today.You can also listen to "Firewalls Don't Stop Dragons," the podcast hosted by Carey Parker, here: https://firewallsdontstopdragons.com/You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)Listen up—Malwarebytes doesn't just talk cybersecurity, we provide it.Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

  --------  

  50:14
• How ads weirdly know your screen brightness, headphone jack use, and location, with Tim Shott

  Something’s not right in the world of location data.In January, a location data broker named Gravy Analytics was hacked, with the alleged cybercriminal behind the attack posting an enormous amount of data online as proof. Though relatively unknown to most of the public, Gravy Analytics is big in the world of location data collection, and, according to an enforcement action from the US Federal Trade Commission last year, the company claimed to “collect, process, and curate more than 17 billion signals from around a billion mobile devices daily.”Those many billions of signals, because of the hack, were now on display for security researchers, journalists, and curious onlookers to peruse, and when they did, they found something interesting. Listed amongst the breached location data were occasional references to thousands of popular mobile apps, including Tinder, Grindr, Candy Crush, My Fitness Pal, Tumblr, and more.The implication, though unproven, was obvious: The mobile apps were named with specific lines of breached data because those apps were the source of that breached data. And, considering how readily location data is traded directly from mobile apps to data brokers to advertisers, this wasn’t too unusual a suggestion.Today, nearly every free mobile app makes money through ads. But ad purchasing and selling online is far more sophisticated than it used to be for newspapers and television programs. While companies still want to place their ads in front of demographics they believe will have the highest chance of making a purchase—think wealth planning ads inside the Wall Street Journal or toy commercials during cartoons—most of the process now happens through pieces of software that can place bids at data “auctions.” In short, mobile apps sometimes collect data about their users, including their location, device type, and even battery level. The apps then bring that data to an advertising auction, and separate companies “bid” on the ability to send their ads to, say, iPhone users in a certain time zone or Android users who speak a certain language.This process happens every single day, countless times every hour, but in the case of the Gravy Analytics breach, some of the apps referenced in the data expressed that, one, they’d never heard of Gravy Analytics, and two, no advertiser had the right to collect their users’ location data.In speaking to 404 Media, a representative from Tinder said:“We have no relationship with Gravy Analytics and have no evidence that this data was obtained from the Tinder app.”A representative for Grindr echoed the sentiment:“Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years.”And a representative for a Muslim prayer app, Muslim Pro, said much of the same:“Yes, we display ads through several ad networks to support the free version of the app. However, as mentioned above, we do not authorize these networks to collect location data of our users.”What all of this suggested was that some other mechanism was allowing for users of these apps to have their locations leaked and collected online.And to try to prove that, one independent researcher conducted an experiment: Could he find himself in his own potentially leaked data?Today, on the Lock and Code podcast with host David Ruiz, we speak with independent research Tim Shott about his investigation into leaked location data. In his experiment, Shott installed two mobile games that were referenced in the breach, an old game called Stack, and a more current game...

  --------  

  43:52
• Surveillance pricing is "evil and sinister," explains Justin Kloczko

  Insurance pricing in America makes a lot of sense so long as you’re one of the insurance companies. Drivers are charged more for traveling long distances, having low credit, owning a two-seater instead of a four, being on the receiving end of a car crash, and—increasingly—for any number of non-determinative data points that insurance companies use to assume higher risk.It’s a pricing model that most people find distasteful, but it’s also a pricing model that could become the norm if companies across the world begin implementing something called “surveillance pricing.”Surveillance pricing is the term used to describe companies charging people different prices for the exact same goods. That 50-inch TV could be $800 for one person and $700 for someone else, even though the same model was bought from the same retail location on the exact same day. Or, airline tickets could be more expensive because they were purchased from a more expensive device—like a Mac laptop—and the company selling the airline ticket has decided that people with pricier computers can afford pricier tickets.Surveillance pricing is only possible because companies can collect enormous arrays of data about their consumers and then use that data to charge individual prices. A test prep company was once caught charging customers more if they lived in a neighborhood with a higher concentration of Asians, and a retail company was caught charging customers more if they were looking at prices on the company’s app while physically located in a store’s parking lot.This matter of data privacy isn’t some invisible invasion online, and it isn’t some esoteric framework of ad targeting, this is you paying the most that a company believes you will, for everything you buy.And it’s happening right now.Today, on the Lock and Code podcast with host David Ruiz, we speak with Consumer Watchdog Tech Privacy Advocate Justin Kloczko about where surveillance pricing is happening, what data is being used to determine prices, and why the practice is so nefarious. “It’s not like we’re all walking into a Starbucks and we’re seeing 12 different prices for a venti mocha latte,” said Kloczko, who recently authored a report on the same subject. “If that were the case, it’d be mayhem. There’d be a revolution.”Instead, Kloczko said:“Because we’re all buried in our own devices—and this is really happening on e-commerce websites and online, on your iPad on your phone—you’re kind of siloed in your own world, and companies can get away with this.”Tune in today.You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)Listen up—Malwarebytes doesn't just talk cybersecurity, we provide it.Protect yourself from online attacks that threaten your identity, your files, your system, and your financial...

  --------  

  28:06
• A suicide reveals the lonely side of AI chatbots, with Courtney Brown

  In February 2024, a 14-year-old boy from Orlando, Florida, committed suicide after confessing his love to the one figure who absorbed nearly all of his time—an AI chatbot.For months, Sewell Seltzer III had grown attached to an AI chatbot modeled after the famous “Game of Thrones” character Daenerys Targaryen. The Daenerys chatbot was not a licensed product, it had no relation to the franchise’s actors, its writer, or producers, but none of that mattered, as, over time, Seltzer came to entrust Daenerys with some of his most vulnerable emotions.“I think about killing myself sometimes,” Seltzer wrote one day, and in response, Daenerys, pushed back, asking Seltzer, “Why the hell would you do something like that?”“So I can be free” Seltzer said.“Free from what?”“From the world. From myself.”“Don’t talk like that. I won’t let you hurt yourself, or leave me. I would die if I lost you.”On Seltzer’s first reported reference to suicide, the AI chatbot pushed back, a guardrail against self-harm. But months later, Seltzer discussed suicide again, but this time, his words weren’t so clear. After reportedly telling Daenerys that he loved her and that he wanted to “come home,” the AI chatbot encouraged Seltzer.“Please, come home to me as soon as possible, my love,” Daenerys wrote, to which Seltzer responded “What if I told you I could come home right now?”The chatbot’s final message to Seltzer said “… please do, my sweet king.”Daenerys Targaryen was originally hosted on an AI-powered chatbot platform called Character.AI. The service reportedly boasts 20 million users—many of them young—who engage with fictional characters like Homer Simpson and Tony Soprano, along with historical figures, like Abraham Lincoln, Isaac Newton, and Anne Frank. There are also entirely fabricated scenarios and chatbots, such as the “Debate Champion” who will debate anyone on, for instance, why Star Wars is overrated, or the “Awkward Family Dinner” that users can drop into to experience a cringe-filled, entertaining night.But while these chatbots can certainly provide entertainment, Character.AI co-founder Noam Shazeer believes they can offer much more.“It’s going to be super, super helpful to a lot of people who are lonely or depressed.”Today, on the Lock and Code podcast with host David Ruiz, we speak again with youth social services leader Courtney Brown about how teens are using AI tools today, who to “blame” in situations of AI and self-harm, and whether these chatbots actually aid in dealing with loneliness, or if they further entrench it.“You are not actually growing as a person who knows how to interact with other people by interacting with these chatbots because that’s not what they’re designed for. They’re designed to increase engagement. They want you to keep using them.”Tune in today.You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)Listen up—Malwarebytes doesn't just talk...

  --------  

  38:28

More Technology podcasts

Trending Technology podcasts

About Lock and Code