this post was submitted on 10 Aug 2023
2018 points (97.9% liked)

Technology

59436 readers
3259 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 33 points 1 year ago* (last edited 1 year ago) (7 children)

The people here acting like their Gboard doesn't do the same is so funny.

Edit : never used nor installed tiktok.

[–] [email protected] 112 points 1 year ago (1 children)

It probably doesn't though. Obviously it's closed source making it harder to tell what's actually happening, but there's nothing stopping security analysts from looking at network usage and such. I would imagine that Google doesn't install a keylogger on every Android phone, not out of the goodness of their hearts, but because they don't want the bad publicity and lawsuits when it would inevitably be discovered.

[–] [email protected] 42 points 1 year ago* (last edited 1 year ago) (1 children)

they do collect usage stats by default though.
which include typed sentences passed through their ai model and words usage counts.
it can all be turned off and gboard seems to respect these options. it doesn't access online services unless requested with these options off.

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago)

If you mean by "collect usage stats" train their AI model on-device and send the training result to Google, then yes. If you mean that the actual words get sent to Google's servers, then no. There was a study shared recently that looked into this. Only metadata about what's typed is sent. That's not nothing of course, but it's not what Tencent does at all.

E: Found it.

[–] [email protected] 59 points 1 year ago (4 children)

If you have any evidence that it does, it would be big news. Please share.

[–] [email protected] 12 points 1 year ago (1 children)

I mean he's not wrong, but also not really the same thing. Gboard does send a substantial amount of data about the things you typed to google. It is supposedly anonymous, but they do this to get anylitics, and they use this data to improve the suggestions given to you.

There has been at least one article where someone intercepted the data leaving from Gboard and found it's either unencrypted or just hashed into something like base64. This was a while back so things hopefully changed.

While google does try not to phone home users passwords, how can you tell what is and isent private?

load more comments (3 replies)
[–] [email protected] 33 points 1 year ago (31 children)

I'm going to guess you're one of the people who defends tiktok and compares it to every other social media app by saying the US government is basically the same as the Chinese government

[–] [email protected] 2 points 1 year ago (2 children)

Not op, I know for sure that China's been trying to grab as much intelligence as possible going as far as installing sniffing type software in network controllers and servers, and grabbing keystrokes from a keyboard is absolutely despicable and something they would do to grab more intelligence.

The thing I have trouble figuring out is why in the hell people would care about TikTok. What signal intelligence is coming from my wife swiping through 14,000 cat and home organization videos.

Location is turned off The app is sandboxed It's not allowed to access the camera or the speaker without giving some minor notification that they're on and people would notice.

I totally get the China will do bad if they can but I fail to see the ultimate danger of TikTok.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago)

From "the olden times" (Reddit link):

The type and scale of the data that TikTok collects is different than other Chinese apps.

There will be replies that talk about advanced ML and predictive algorithms. There will be replies that talk about potential hacks the app can use to bypass iOS or Android policy. That's a threat, sure, but we don't even need to go there. We can just focus on the basic data that companies like Google, Meta and TikTok explicitly tell us that they collect in their privacy policy.

Every time you open TikTok, you should assume that the Chinese government knows exactly where you are at that moment, because the app gives them access to your location through GPS. If you use the app frequently, they not only have time and location data, but they know your travel patterns too!

They know who you interact with and who those people interact with. They know what kinds of content you like and what you dislike. They can use this information to intentionally feed you with disinformation in ways that make you more likely to believe it.

The misinformation feed attack risk is not unique to TikTok. Others have already been misused in this exact way. The important difference is that when information is housed by companies like Meta and Google which are incorporated in the US, its use and storage is subject to US regulation. We can simply disallow use and storage of data and practices that we don't approve of.

If you've done something illegal or embarrassing on TikTok, it could be used to compromise you for a foreign nation's interest. If you are a 20 year old wild child, they won't have any interest in doing anything with that information right now. In a few decades, if TikTok continues its dominance in social media, China will have compromising information on an uncomfortably high number of powerful leaders and politicians. You don't even have to do something obvliviously stupid like say something racist or admit to a crime in a DM. For example, with just location data they can know if a politician cheated on their spouse and with whom! Imagine a politician publicly saying that they did not meet with some business leader or politician about some scandalous thing. Well, in a world where everyone has TikTok, the Chinese government knows if that's a lie or not. In theory Verizon/Meta/Apple wouldn't know that since that data is purported to be anonymized. Even if they did have that information, it's hard to imagine any US tech company using it for their own interest. A US company would likely not survive that kind of act - it would be corporate suicide. On the other hand, it is hard to imagine a foreign adversary NOT engaging in that type of blackmail when given the opportunity.

Now consider companies like Tencent. How can information on League of Legends play sessions can be used to blackmail a politician, manipulate an election or foment widespread social unrest? It might be possible, but it's not easy to think of how it could be done. With TikTok, it's blindingly obvious how all of those things could happen.

Most other Chinese apps don't collect anywhere near as much personal and sensitive information. The ones that do collect the same level of sensitive data, like Tencent's QQ, aren't used by enough people where it would be realistic to speculate that this information can be used in a similarly widespread and extremely damaging way. Even then, the US government should seriously think through the damage that could be done with the information QQ collects by assuming the Chinese government has complete access to all collected data and hostile intent. With TikTok, you don't need to spend more than a few seconds thinking about this to frighten yourself.

[–] [email protected] 1 points 1 year ago (2 children)

I don't know what you mean by sandboxed but I'm pretty sure it cannot be as private as it seems, even if you're using a VPN. But regardless, 99.99% of tiktok users are not taking steps to protect their data. hundreds of billions of data points that help an authoritarian government know how people think is nothing to shrug at.

load more comments (2 replies)
load more comments (29 replies)
[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (1 children)
load more comments (1 replies)
[–] [email protected] 5 points 1 year ago (2 children)

Oh shit, Google is sending my stuff to China?

load more comments (2 replies)
[–] [email protected] 3 points 1 year ago (8 children)

The big issue is Google isn’t owned by the state.

[–] [email protected] 22 points 1 year ago (2 children)

I mean... Does It change anything? They are owned by a board of directors that want profits over anything else

[–] [email protected] 6 points 1 year ago (1 children)

Yes, not being owned by the world's most terrifying government turns out to be different than being owned by the world's most terrifying government. Funny how that works

[–] [email protected] 3 points 1 year ago (1 children)

Where are the Snowdens of yesteryear?

[–] [email protected] 2 points 1 year ago (1 children)
[–] [email protected] 1 points 1 year ago

It's a quote from the book Catch-22 and just popped into my head when I saw your user name. Highly recommend the book but there's a short explanation of the phrase here if you're curious.

[–] [email protected] 6 points 1 year ago

Of course it change, at least the authorities have to buy from companies with public money instead of getting for free.

[–] [email protected] 15 points 1 year ago

Man, Snowden wasted his entire life to tell you USA literally spy on everything you do and when caught their answer was : yeah, so what you gonna do about it, maybe you should do the same.

[–] [email protected] 11 points 1 year ago

Instead they are about to be their own state.

Btw, companies are absolutistic by default.

[–] [email protected] 1 points 1 year ago

They are the state at this point. So same thing.

load more comments (4 replies)
load more comments (1 replies)