Euro Security Watch with Mathew J. Schwartz

Application Security , Governance & Risk Management , Next-Generation Technologies & Secure Development

What Orwell's '1984' Missed: Free Social Media Apps

UAE Green Lights All-Access Social Messaging App, Blocks Rivals
What Orwell's '1984' Missed: Free Social Media Apps
ToTok app page on Google Play

Not even George Orwell could have predicted nation-state surveillance in the 21st century. Give us free instant messaging for our smartphones, and faster than you can say "viral kitten video," we're collectively part of a mass surveillance nightmare.

See Also: Maintain a Clear Bill of (Third-Party Risk) Health

Cue privacy lulz. Or just give in and download the popular - and free - ToTok social messaging app.

"Assuming the claims that ToTok is actual designed to spy on its users, this 'legitimate' functionality ... is really the genius of the whole mass surveillance operation." 

Last month, The New York Times reported that U.S. intelligence officials believe ToTok is really a nation-state surveillance operation being run by the government of the United Arab Emirates that's used "to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones." (See: Apple and Google Stop Distributing ToTok Messaging App)

Alerted before the Times issued its report, Apple and Google ceased distributing the app. But while Apple's ban appears to be holding, on Sunday Google reinstated ToTok on Google Play, Verge reports.

Google didn't immediately respond to my request for comment on this apparent about-face. But Google gave Verge a repeat of a statement that a company spokeswoman provided to me after the Times' TikTok report appeared: "We take reports of security and privacy violations seriously," she said. "If we find behavior that violates our policies, we take action."

The United Arab Emirates government hasn't responded to my requests for comment.

But the two co-founders of ToTok two weeks ago posted an unapologetic note, predicting that the app store bans would be temporary. "Not only do we respect privacy and ensure security, our users also have the complete control over what data they want to share at their own discretion," the note reads. "The shameless fabrication by our distractors cannot be further from the truth."

Messaging Addicts: Choose Between One Option

The surveillance genius of ToTok would be - in part - how the UAE government apparently served it up. While the government permits ToTok use, it bans rival offerings, including WhatsApp and Skype, and blocks VPN services that users might have employed to bypass those restrictions.

Another innovation, if you will, is that the app does exactly what it says it does, according to security researcher Patrick Wardle at software firm Jamf, who formerly worked as a U.S. National Security Agency hacker and who the Times approached to analyze the app.

Permissions demanded for iOS version of ToTok (source: Patrick Wardle)

Features built into smartphones and potentially granted to apps - including persistent, background access to a device's microphone, contacts, photos, camera and location - make great potential surveillance fodder.

"Our analysis showed that ToTok simply does what it claims to do and really nothing more," Wardle writes in his technical teardown of the iOS version of ToTok. "Assuming the claims that ToTok is actual designed to spy on its users, this 'legitimate' functionality ... is really the genius of the whole mass surveillance operation: no exploits, no backdoors, no malware. Again, just 'legitimate' functionality that likely afforded in-depth insight into a large percentage of the country's population."

Excerpt from Patrick Wardle's technical analysis of the ToTok iOS app

Our Smartphones, Ourselves

George Orwell, in his novel "1984," imagined how the rulers of an authoritarian society would watch individuals via their televisions. But he did not foresee smartphones and messaging apps.

Last month, the Guardian named smartphones as one of "15 super-trends that defined the 2010s." Better known now as simply a phone, they "are firmly established as central to productivity, to entertainment, to communication and to education," and have replaced the notion of being online. Thanks to our smartphones, now we're always online.

That underpins a revolution that has led us to rely on new tools for everyday convenience, including the apps that run on smartphones, collecting myriad amounts of personal data and sending it back to cloud-based servers, which the U.S. and allied governments apparently monitor en masse.

Other modern conveniences with potential privacy and personal security downsides include wearable fitness devices, which can track our outdoor workout routines and share it with friends, but which can also inadvertently reveal the location and layout of secret military bases, not to mention the shed where we store our expensive bicycle. And, of course, who doesn't love their smart home AI assistant that literally listens for our every word, or their smart TVs that can watch us watching them?

Actually, Orwell still looks pretty prescient.

Only now, the everyday tool potentially being used to conduct surveillance is an always-connected device that we carry with us and use to document our everyday lives.

Hello, 2020.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.