March 7, 2021

New Research on Privacy and Security Risks of Remote Learning Software

This post and the paper is jointly authored by Shaanan Cohney, Ross Teixeira, Anne Kohlbrenner, Arvind Narayanan, Mihir Kshirsagar, Yan Shvartzshnaider, and Madelyn Sanfilippo. It emerged from a case study at CITP’s tech policy clinic.

As universities rely on remote educational technology to facilitate the rapid shift to online learning, they expose themselves to new security risks and privacy violations. Our latest research paper, “Virtual Classrooms and Real Harms,” advances recommendations for universities and policymakers to protect the interests of students and educators.

The paper develops a threat model that describes the actors, incentives, and risks in online education. Our model is informed by our survey of 105 educators and 10 administrators who identified their expectations and concerns. We use the model to conduct a privacy and security analysis of 23 popular platforms using a combination of sociological analyses of privacy policies and 129 state laws (available here), alongside a technical assessment of platform software.

Our threat model diagrams typical remote learning data flows. An “appropriate” flow is informed by established educational norms. The flow marked end-to-end encryption represents data that is not ordinarily accessible to the platform.

In the physical classroom, there are educational norms and rules that prevent surreptitious recording of the classroom and automated extraction of data. But when classroom interactions shift to a digital platform, not only does data collection become much easier, the social cues that discourage privacy harms are weaker and participants are exposed to new security risks. Popular platforms, like Canvas, Piazza, and Slack, take advantage of this changed environment to act in ways that would be objectionable in the physical classroom—such as selling data about interactions to advertisers or other third parties. As a result, the established informational norms in the educational context are severely tested by remote learning software.

We analyze the privacy policies of 23 major platforms to find where those policies conflict with educational norms. For example, 41% of the policies permitted a platform to share data with advertisers, which conflicts with at least 21 state laws, while 23% allowed a platform to share location data. However, the privacy policies are not the only documents that shape platform practices. Universities use Data Protection Addenda (DPAs) for the institutional licenses that they negotiate with the platform to supplement or even supplant the default privacy policy. We reviewed 50 DPAs from 45 Universities, finding that the addenda were able to cause platforms to significantly shift their data practices, including stricter limits on data retention and use.

We also discuss the limitations of current federal and state regulation to address the risks we identified. In particular, the current laws lack specific guidance for platforms and educational institutions to protect privacy and security and have limited penalties for noncompliance. More broadly, the existing legal framework is geared toward regulating specific information types and a small subset of actors, rather than specifying transmission principles for appropriate use that would be more durable as the technology evolves.

What can be done to better protect students and educators? We offer the following five recommendations:

  1. Educators should understand that there are significant differences between free (or individually licensed) versions of software and institutional versions. Universities need to work on informing educators about those differences and encourage them to use institutionally-supported software.
  2. Universities should use their ability to negotiate DPAs and institute policies to make platforms modify their default practices that are in tension with institutional values.
  3. Crucially, universities should not spend all their resources on a complex vetting process before licensing software. That path leads to significant usability problems for end users, without addressing the security and privacy concerns. Instead, universities should recognize that significant user issues tend to surface only after educators and students have used the platforms and create processes to collect those issues and have the software developers rapidly fix the problems.
  4. Universities should establish clear principles for how software should respect the norms of the educational context and require developers to offer products that let them customize the software for that setting.
  5. Federal and state regulations can be improved by making platforms more accountable for compliance with legal requirements, and giving institutions a mandate to require baseline security practices, much like financial institutions have to protect consumer information under the Federal Trade Commission’s Safeguards Rule.

The shift to virtual learning requires many sacrifices from educators and students already. As we integrate these new learning platforms in our educational systems, we should ensure they reflect established educational norms and do not require users to sacrifice usability, security, and privacy.

We thank the members of Remote Academia and the university administrators who participated in the study. Remote Academia is a global Slack-based community, that gives faculty and other education professionals a space to share resources and techniques for remote learning. It was created by Anne, Ross, and Shaanan.

Vulnerability reporting is dysfunctional

By Kevin Lee, Ben Kaiser, Jonathan Mayer, and Arvind Narayanan

In January, we released a study showing the ease of SIM swaps at five U.S. prepaid carriers.  These attacks—in which an adversary tricks telecoms into moving the victim’s phone number to a new SIM card under the attacker’s control—divert calls and SMS text messages away from the victim. This allows attackers to receive private information such as SMS-based authentication codes, which are often used in multi-factor login and password recovery procedures. 

We also uncovered 17 websites that use SMS-based multi-factor authentication (MFA) and SMS-based password recovery simultaneously, leaving accounts open to takeover from a SIM swap alone; an attacker can simply reset a victim’s account password and answer the security challenge when logging in. We responsibly disclosed the vulnerabilities to those websites in early January, urging them to make changes to disallow this configuration. Throughout the process, we encountered two wider issues: (1) lack of security reporting mechanisms, and (2) a general misunderstanding of authentication policies. As a result, 9 of these 17 websites, listed below, remain vulnerable by default.

Disclosure Process. On each website, we first looked for email addresses dedicated to vulnerability reporting; if none existed, we looked for the companies on bug bounty platforms such as HackerOne. If we were unable to reach a company through a dedicated security email or through bug bounty programs, as a last resort, we reached out through customer support channels. Sixty days after our reports, we re-tested the configurations at the companies, except for those that reported that they had fixed the vulnerabilities.

Outcomes. Three companies—Adobe, Snapchat, and eBay—acknowledged and promptly fixed the vulnerabilities we reported. In one additional case, the vulnerability was fixed, but only after we exhausted the three contact options and reached out to company personnel via a direct message on Twitter. In three cases—Blizzard, Microsoft, and Taxact—our vulnerability report did not produce the intended effect (Microsoft and Taxact did not understand the issue, Blizzard provided a generic acknowledgment email), but in our 60-day re-test, we found that the vulnerabilities had been fixed (without the companies notifying us). As such, we do not know whether the fixes were implemented in light of our research.

Among the responses we received, there were several failure modes, which were not mutually exclusive. 

  • In five cases, personnel did not understand our vulnerability report, despite our attempts to make it as clear as possible (see Appendix B of our paper). Three of them—Microsoft, Paypal, and Yahoo—demonstrated knowledge of SIM swap attacks, but did not realize that their SMS authentication policies were allowing for vulnerable accounts. Paypal, for instance, closed our report as out-of-scope, claiming that “the vulnerability is not in Paypal, as you mentioned this is an issue with the carriers and they need to fix it on their side.While phone number hijackings are the result of poor customer authentication procedures at the carriers, account hijackings resulting from SMS passcode interception are the result of poor authentication policies at websites. The remaining two websites—Taxact and Gaijin Entertainment—misinterpreted our disclosure as a feature request and feedback, respectively.
  • Three of the four reports we submitted to third-party bug bounty programs were disregarded due to the absence of a bug (our findings are not software errors, but rather, logically inconsistent customer authentication policies). Reports are screened by employees of the program, who are independent of the website, and passed on to the website’s security teams if determined to be in scope. These third-party platforms appear to be overly strict with their triage criteria, preventing qualified researchers from communicating with the companies. This issue is not unique to our study, either. A few weeks ago, security researchers also reported difficulties with submitting vulnerability reports to Paypal, which uses HackerOne as its sole security reporting mechanism. HackerOne employs mechanisms that restrict users from submitting future reports after too many closed reports, which could disincentivize users from reporting legitimate vulnerabilities.
  • In five cases, we received no response. 
  • All four attempts to report security vulnerabilities through customer support channels were fruitless: either we received no response or personnel did not understand the issue.   

We have listed all 17 responses in the table below. Unfortunately, nine of these websites use SMS-based MFA and SMS-based password recovery by default and remain so as of this writing. Among them are payment services PayPal and Venmo. The vulnerable websites cumulatively have billions of users. 

Recommendations

We recommend that companies make the following changes to their vulnerability response:

  1. Companies need to realize that policy-related vulnerabilities are very real, and should use threat modeling to detect these. There seems to be a general lack of knowledge about vulnerabilities arising from weak authentication policies.
  2. Companies should provide direct contact methods for security reporting procedures. A bug bounty program is not a substitute for a robust security reporting mechanism, yet some companies are using it as such. Furthermore, customer support channels—whose personnel are unlikely to be trained to respond to security vulnerability disclosures—add a level of indirection and can lead to vulnerability reports being forwarded to inappropriate teams.  

Our paper, along with our dataset, is located at issms2fasecure.com.

Thanks to Malte Möser for providing comments on a draft.

The CheapBit of Fitness Trackers Apps

Yan Shvartzshnaider (@ynotez) and Madelyn Sanfilippo (@MrsMRS_PhD)

Fitness trackers are “[devices] that you can wear that records your daily physical activity, as well as other information about your health, such as your heart rate” [Oxford Dictionary]. The increasing popularity of wearable devices offered by Apple, Google, Nike inadvertently led cheaper versions to flood the market, along with the emergence of alternative non-tech, but fashionable brand devices. Cheaper versions ostensibly offer similar functionality for one-tenth of the price, which makes them very appealing to consumers. On Amazon, many of these devices receive overall positive feedback and an average of 4-5 star reviews. Some of them are even labeled as “Amazon’s choice” and “Best buyer” (e.g. Figure 1), which reinforces their popularity.

In this blog post, we examine privacy issues around these cheaper alternatives devices, specifically focusing on the ambiguities around third party apps they are using. We report our preliminary results into a few apps that seem to dominate the marketspace. Note that fashion brands also employ third party apps like WearOS by Google, but they tend to be more recognizable and subject to greater consumer protection scrutiny. This makes them different than lesser-known devices.

Figure 1: LETSCOM, uses VeryFitPro, with over 13K reviews, labeled as Amazon’s Choice and is marketed to children.

Do consumers in fact pay dearly for the cheaper version of these devices?

Privacy issues are not unique to cheaper brands. Any “smart device” that has the ability to collect, process and share information about you and the surrounding environment, can potentially violate your privacy.  Security issues also play an important role. Services like Mozilla’s Privacy Not Included and Consumer reports help navigate the treacherous landscape.  However, even upholding the Minimum Security Standards  doesn’t prevent privacy violations due to inappropriate use of information, see Strava and Polar incidents.  

Given that most of the analysis is typically done by an app paired with a fitness tracker, we decided to examine the “CheapBit” products sold on Amazon,  with a large average number of reviews and answered questions, to see which apps they pair with. We found that the less-expensive brands are dominated by a few third-party apps primarily developed by small teams (or individuals) and do not provide any real description as to how data are used and shared. 

But what do we know about these apps?   

The VeryFitPro app seems to be the choice of many of the users buying the cheaper fitness trackers alternatives. The app has  5,000,000+ installs, according to Google Play, where it lists an email of the developer and the website with just a QR code to download the app. The app has access to an extensive list of permissions: SMS, Camera, Location, Wifi information, Device ID & Call information, Device & app history, Identity, Phone, Storage, Contacts, and Photo/Media/Files! The brief privacy policy appears to be translated into English using an automatic translation tool, such as Google Translate.

Surprisingly,  what appears to be the same app on the Apple Store points to a different privacy policy altogether, hosted on a Facebook page! The app  provides a different contact email  () and policy is even shorter than on the Play Store. In a three-paragraph policy, we are reassured that  “some of your fitness information and sports data will be stored in the app, but your daily activities data will never be shared without permission.” and with a traditional “We reserve the right, in our decision to change, modify, add or remove portions of this policy at any time. Please check this page periodically for any changes. Publish any changes to these terms if you continue to use our App future will mean that you have accepted these adjustments. [sic]” No additional information is provided.

While we found the VeryFitPro to be common among cheap fitness trackers, especially high-rated ones, it is not unique. Other apps such as JYouPro, which has access to the same range of permissions, offer privacy policy which is just two paragraphs long which also reassures users that “[they] don’t store personal information on our servers unless required for the on-going operation of one of our services.” The Apple version offers a slightly longer version of the policy. In it, we find that “When you synchronise the Band data, e.g. to JYouPro Cloud Service, we may collect data relating to your activities and functionalities of JYouPro, such as those obtained from our sensors and features on JYouPro, your sleeping patterns, movement data, heart rate data, and smart alarm related information.” Given that JYouPro is used by a large number of devices, their “Cloud service” seems to be sitting on a very lucrative data set. The policy warns us: “Please note also that for the above, JYouPro may use overseas facilities operated and controlled by JYouPro to process or back up your personal data. Currently, JYouPro has data centres in Beijing and Singapore.

These are however not the worst offenders. Developers behind apps like MorePro and Wearfit didn’t even bother to translate their privacy policies from Chinese!

Users’ privacy concerns

These third-party apps are incredibly popular and pervade the low-end wearable market: VeryFitPro ( 5,000,000+ installs), JYouPro (500,000+ installs), WearFit (1,000,000+ installs). With little oversight, they are able to collect and process lots of potentially sensitive information from having access to contacts, camera, location, and other sensors data from a large number of users.  Most of them are developed by small teams or unknown Chinese firms, which dominate the mHealth market.  

A small portion of users on Amazon express privacy concerns. For one of the top selling products LETSCOM Fitness Tracker  which uses VeryFitPro with 4/5 stars, 14,420 ratings and 1000+ answered questions, marketed towards “Kids Women and Men”, we were able to find only a few questions on privacy.  Notably, none of the questions was upvoted, so we suspect the remain unseen by the typical buyer. For example, one user was asking “What is the privacy policy for the app? How secure is the personal information? [sic]” to which another user (not the manufacturer) replied “A: This connects to your phone by bluetooth. That being said, I guess you could connect it only when you are in a secure location but then you wouldn’t have the message or phone notifications.” A similar concern was raised by another user “What is this company’s policy on data privacy? Will they share or sell the data to third parties?”

In another popular product, Lintelek Fitness Tracker with Heart Rate Monitor which used VeryFitPro with 4/5 stars, 4,050 ratings. Out of 1000+ answered questions, only a couple mentioned privacy. The first user gave a product 1 start with ominous warning “Be sure to read the privacy agreement before accepting this download”. Interestingly, the second user rated the product with 5 stars and gave a very positive review that ends with “Only CON: read the privacy statement if you are going to use the text/call feature. They can use your information. I never turned it on – I always have my phone anyway.

The fact that buyers of these devices do not investigate the privacy issues is troubling. Previous research showed that consumers will think that if a company has a privacy policy it protects their privacy. It seems to be clear that consumers need help from the platform. Amazon, Google and Apple ought to better inform consumers about potential privacy violations. In addition to consumer protection obligations by these platforms, regulators ought to apply increased scrutiny. While software are not conventional medical devices, hence not covered by HIPAA, some medical apps do fall under FDA authority, including apps that correspond with wearables.  Furthermore, as in Figure 1 shows, these devices are marketed to children so the app should be subject to enforcement of children’s privacy standards like COPPA

In conclusion, the lesser-known fitness tracking brands offer a cheaper alternative to high-end market products. However, as previous research showed, consumers of these devices are potentially paying a high-privacy price. The consumers are left to fend for themselves. In many cases, the cheaper devices pertaining to firms outside of US jurisdiction and thus US and European regulations are difficult to enforce.  Furthermore, global platforms like Amazon, Google, Apple, and others seem to turn a blind eye to privacy issues and help to promote these devices and apps. They offer unhelpful and possibly misleading labels to the consumers such as Amazon’s “best seller”, “Amazon’s choice”, Google’s Play Store’s download count and star ratings, which exacerbate an already global and complex issue. It requires proactive action on behalf of all parties to offer lasting protection of users’ privacy, one that incorporates the notions of established societal norms and expectations.


We would like to thank Helen Nissenbaum for offering her thoughts on the topic.