Dirty tricks during political campaigns are nothing new, but the Internet and the proliferation of mobile devices have allowed tricksters to up their games a notch. It came to light last week, for example, that Donald Trump’s campaign app was hoovering the address books on his supporters’ phones.
Trump’s app wasn’t doing anything illegal. It wasn’t even trying to hide what it was doing. The app seeks the user’s permission to download all contacts before it does so. However, both the ACLU and the Electronic Privacy Information Center have rapped the practice.
Asking for more permissions for an application than are necessary for the app to function is common among mobile apps. The classic example is the flashlight app that seeks permission to access the address book on a phone. Why would a flashlight app need address book access to function?
Nevertheless, impatient users often give overreaching apps the green light for such activity.
Too Many Permissions
“Users do not pay much attention to what apps are asking for,” said Slawek Ligier, vice president for security engineering at Barracuda Networks.
“They’re used to being asked for three, four, five permissions before they can use something, so the majority of users just click OK so they can get on with their lives,” he said. As a result, “apps have a tendency to ask for way more permissions than they really need to provide the service that they’re built for.”
For the most part, developers aren’t trying to be malicious with their permission grabs, Ligier maintained. They just might be planning for the future.
For example, when they were introduced, banking apps requested permission to use a device’s camera — even though those early apps had no use for the camera. Eventually, the banks took advantage of the camera to let users deposit checks into their accounts, so the camera permission was pertinent to the software’s functionality.
“Developers would rather ask for permissions now than later,” Ligier said.
Trump Mule Scams
Information-hungry apps aren’t the only tech tools targeting the body politic during election years. There typically are a number of scams that accompany events dominating the news.
In the current cycle, scammers are using Donald Trump’s name to attract people to “get rich while working at home” schemes, Ligier noted. Those scams usually seek to enlist people to be “money mules” for online bandits outside the U.S.
Other cons try to steer a candidate’s supporters to a website that infects their computers with malware. One such scheme used a headline about Hillary Clinton giving money to ISIS. When curious readers clicked on the link to the story, they were sent to a website that planted a remote access trojan on their computer. RATs allow hackers to take control of computers remotely.
Several scams with a political twist found their way to Brad Bussie, director of product management at Stealthbits Technologies. One was a solicitation from a Republican Party organization asking for a donation — plus his Social Security number.
“A huge red flag should go up anytime an organization calls you and asks to verify any type of personal identifiable information,” he said.
Voter Info Scam
Another pitch came from a company purportedly conducting a phone survey about the election, Bussie recalled. For taking the survey, participants would be rewarded with a trip to the Bahamas.
“How could a survey company offer everyone that takes a survey a trip to the Bahamas?” he asked.
A phishing email that appeared to come from Bussie’s state government asked him to update his voter information.
“The link looked legitimate in the email — but once I looked at the link in more detail, it would have redirected me to a site that had a different URL but similar looking background to the real site,” he said. The site wanted not only his personal information, but also common passwords he might be using for other sites.
“Many people who are scammed will enter three to five different passwords, thinking that they simply forgot what the password they used might have been before clicking on the ‘I forgot my password link,'” he said.
Clicking on the I-forgot-my-password link on the bogus state site took Bussie to a “server not found” page.
Visa Waiver Controversy
A proposed change in the information gathered from people seeking to enter the United States without a visa has created a stir in some privacy circles. The proposal would add questions about the applicant’s social media activity to the visa waiver request form.
Answering the questions would be optional, and the information provided by the applicant would be used only to vet the application, according to a U.S. Customs and Border Protection notice published in the Federal Register.
“Collecting social media data will enhance the existing investigative process and provide [the Department of Homeland Security] greater clarity and visibility to possible nefarious activity and connections by providing an additional tool set which analysts and investigators may use to better analyze and investigate the case,” the notice explains.
Since submitting social media information is optional, the proposal appears to be relatively benign, but not everyone sees it that way.
Chilling Expression
The proposal would chill expression by both foreign nationals entering the United States and U.S. citizens, maintained the Center for Democracy and Technology.
The social media information could be used not only to submit foreign nationals to “unspecified review and monitoring of their public online activity,” but also to increase surveillance of U.S. citizens who might be connected to those nationals, CDT noted in comments submitted to CPB last week.
“This proposal would move the world of security theater online,” warned Emma Llansó, director of the CDT’s Free Expression Project. “Not only would the program be unnecessarily invasive — it would also be incredibly ineffective and expensive.”
If the data can be used effectively and without violation of individual rights, however, collecting it can make sense, noted Daniel Castro, director of the Center for Data Innovation.
“This could be useful, so we should allow [CPB] to experiment with this data,” he said.
DHS can not determine whether it could use social media data as an effective method of screening travelers unless it first conducts a pilot program, Castro noted in comments submitted to CPB.
It would be prudent for DHS to proceed with the data collection in order to study the merits of such an effort, he continued, but it should refrain from using the data on a widespread basis until it can verify that it has produced a system that delivers beneficial results.