App that let parents spy on teens stored thousands of kids' Apple ID passwords and usernames on an unsecured server

Originally published at: https://boingboing.net/2018/05/20/utter-coathangers.html

3 Likes

11 Likes

So let me get this straight: Parents who don’t value their kids autonomy or privacy can use this Spyware to peer into these kids private lives. And then anyone who cares to, can look over the parents shoulders and peer into these kids lives as well. Are customers of this product supposed to care about any of this? They clearly don’t consider their kids privacy to be worth that much to begin with.

On the other hand, I can’t say that I really have a handle on how much I should value my own privacy, when I weigh it against all the other things I could be doing with my priorities instead. Sure, lots of companies want to monetize these little fragments of Intel, and stubborn cuss that I am, I’d like to stop them. But again, at what cost?

Just as I have a shitty sense of risk comparison, I also have a shitty sense of privacy trade-offs, as (I suspect) does everyone else.

It’s fairly easy for me to see how we pay too little for things like gasoline and entry level labor and plastic… The consequences of that are maybe not obvious, but learn-able. For me to imagine the consequences of paying too little for privacy insurance. I sort of have to think of myself as a sovereign nation. Not something loyal citizens are encouraged to talk about in public.

12 Likes

How many of these spy services are there? Because there have been a number of these stories where the companies involved have had spectacularly inept security practices, and I’m wondering what percentage of these spy services they represent. The people at these companies really don’t seem to know what they’re doing, which is surprising, but on the other hand, a company premised on violating privacy having an exceedingly cavalier attitude towards maintaining that violated privacy is also highly consistent.

6 Likes

Not that surprising. Most of them are not IT security companies (or even IT companies) as such but companies that just want to make a quick buck with com-puh-ter-whachacallits. You know, like most of the companies that peddle IoT crap.

4 Likes

3 Likes

TeenSafe app itself is created to provide secure monitoring feature that is available on both iOS and Android platform to allow parents to keep an eye on their children smartphone activities (such as text and call log history, and their location).

The server that leaked TeenSafe users data (both parents and children) is hosted on Amazon’s Cloud platform, which was left as an open source for all. It means anyone can access user’s data without any security question or password.

Source: OPT

When will Congress take this kind of shit seriously and start jailing the execs at these fly-by-night companies? Yes, yes, fine the hell out of them, but history has shown that that is just a slap on the wrist. How about 6 months in jail per leaked/hacked record stolen? That seems fair.

3 Likes

You know, I don’t completely fault people trying to keep tabs on their kids to a degree. The problem is kids make terrible decisions, and modern phones make it easier to make a mistake with long lasting consequences. Kids are also very good about hiding problems. But if one is using such tools, they should be secure.

3 Likes

I hate the idea of spyware for kids, but with a kid who thoughtlessly made death threats on social media the value is mostly in making sure kids know that their devices are not wholly theirs just yet. I would like them to grow up with a strong sense of privacy and boundaries that extend to their online lives and devices but that doesn’t come immediately when you’re 13. Phasing it in is tough.

That said, teensafe is garbage that doesn’t even work right. The concept is that they will use the u/pw logins to download a copy of the iCloud backup, decrypt it, and format it neatly for the parents review. It is mildly useful but making them park their phone overnight and then walking over to it after bedtime serves the same purpose.

2 Likes

And that is TeenSafe’s problem. It isn’t Amazon’s job to secure the server for them. They do not touch a customers environment other than moving it to a new host if required which can be done without looking into the VM itself.
If it was left open to the world then that is purely on TeenSafe and pisspoor security practice.

4 Likes

To a degree. Complete surveillance of their online communication, is not “to a degree”, but just a blatant violation of children’s right to privacy, as guaranteed by article 16 of the UN Convention on the Rights of the Child.

It’s high time that the US finally ratified that treaty (OK, probably not under Trump, but maybe just put it on the list of international treaties to start adhering to after Trump is gone).

(And of course there are plenty of other countries that have ratified it, but that should finally start actually enforcing it…)

4 Likes

Given the overall trend with these kinds of companies, I think it’s probably pretty safe to say that companies that make privacy-invading software, hardware, whatever, don’t give a shit about your privacy or the privacy of the people you’re spying on. I’m not just talking creepy stalker malware, I’m talking about NSA Barbie, and the multitudes of other devices and software that parents are blindly buying or using in order to “protect” their children, when in reality all they’re doing is voluntarily inviting unknown third parties to listen to and watch their every move.

4 Likes

What’s weird to me is that they are IT companies, but they don’t seem to realize that, or have any IT people working there. But I guess it’s more a case of “don’t care.”

They have MBAs, and all the technical stuff is outsourced to sub-sub-sub-subcontractors. Which can be scuttled if needs be.

2 Likes

This topic was automatically closed after 5 days. New replies are no longer allowed.