Lesson 4: Application Layer and Above

Lesson explores actions by Cambridge Analytica, data theft, data aggregation, privacy breach, protecting personal information, unplugging

PreviousLesson 3: Networking Layer NextPrivacy Architecture Summary

Last updated 6 years ago

Was this helpful?

Lesson 4: Application Layer and Above

Lesson explores actions by Cambridge Analytica, data theft, data aggregation, privacy breach, protecting personal information, unplugging

The debacle offers an important reminder of how out-of-control things can get at the Application Layer.Facebook provided an open API (Automated Programmable Interface) to developers for certain personality quizzes that ran on the Facebook platform. This gave the developers complete access to the private data and metadata not only of the Facebook users who took the quiz, but also of their friends and friends of friends. The impact of this privacy breach played an important part in tipping the Brexit vote in the UK and the 2016 US Presidential election, and continues to ripple through the fabric of society.

Fortunately, there is a lot that you can do at the Application Layer to plug some of the huge privacy gaps that exist. Below we offer some tips to limit and restrict applications in the interests of your privacy.

The easiest way to think about all applications (from a privacy perspective) is to determine if an application is:

a) understandable (ie: I can clearly see the benefit of this application), and

b) critical (ie: I need this application).

If an application is neither understandable, nor critical the best course is to delete it.

For example, most of the functionality of the Facebook Mobile App is available if you visit Facebook using a browser, so we should expect to be able to enjoy accessing Facebook without giving away additional ‘about you’ metadata that the Facebook mobile application tries to snag.

Quick Tips to Enhance Your Privacy at the Application Layer

Limit the information you give away. While this may seem obvious, it needs to be stated. Think carefully when sharing information online and always ask yourself, ‘Do I understand why?’ and, ‘Is it essential to what I want to do to give this information away?’
Turn off your device(s). If you really want to prevent leakage of ‘about you’ data from your device, the best course is to turn it off when you are not actually using it.
Disable network connectivity. Next best thing is to limit network connectivity of your device. If you don’t need your device to be connected, disconnect it!
Disable Location Services. Location services is a feature of most smart devices, from mobile phones to laptop computers. Location services accesses the GPS functionality of your smart device and can leak massive amounts of metadata. If it is switched on, it is also accessible by default by many applications that hungrily harvest this “leaky” data. On Apple products this is easily managed under: Settings > Privacy > Location Services. On Android devices: Settings > Security & Location > Location >Turn Off Location. Unless you are using an app that needs Location Services, we recommend that you always set this to Off. Turning off location for your device turns Location Services off for all apps.
Disable Siri, Alexa and Cortana. Another functionality prevalent in modern devices is voice activation. Apple’s Siri, Amazon’s Alexa and Microsoft’s Cortana are examples of artificial-intelligence-driven listening devices that act as digital assistants for device users. While these listening devices may be trendy and convenient, the downside is potentially disturbing as the apps harvest and broadcast massive amounts of ‘about you’ data shrouded in mystery and user agreements that use legalese to mask data collection at an unprecedented scale. If you read the user agreements that govern the use of these applications you have to assume that these apps, that are always on and always listening, can be harvesting not just when you prompt them. Your personal voice data streams to corporate servers run with sophisticated artificial intelligence software; your private data is converted to text and stored for future use by even more sophisticated technologies. Smart-home devices can know when you are home, what your daily movements are, how many people you live with, when you have visitors and on and on. And once this data is transmitted, most of it is out of your control. While you may be able to delete some data, there are no control settings for ‘about you’ data harvested by these applications.
Delete Facebook. The Facebook App for IOS or Android is a monster spying application and one of the greediest data aggregator apps available. Even with your Location Services turned off, the app can leak location information via wireless, IP and MAC Addresses. But it certainly doesn’t stop there. A huge array of other information, including who you are with, when you got where you are, how long you’ve been there and lots of other revealing ‘about you’ information is constantly being farmed via device-native functionality including microphone and video. If you absolutely must use the Facebook app, for instance if you are posting regular Facebook Live videos, then at the very least turn off the location services, microphone and video settings when you are not using the app. Or better still, uninstall the app and reinstall it only when you need it. If you delete the Facebook App and still want to access the service from your mobile, use your browser, but make sure you log out at the end of each session and then clear your cookies.
Be Careful with Links. When you click on links in emails, PDF documents, other documents, and online, pay particular attention to the link. If it is a clean link like you can be pretty confident that you know what will happen if you click it. However, many links are far more complex and can be detrimental to your privacy. Pixel trackers in emails can run sophisticated scripts that can extract complex information from your device, including its feature set and the browser you are using. According to Apple’s user guide, “In some of our email messages, we use a “click-through URL” linked to content on the Apple website. When customers click one of these URLs, they pass through a separate web server before arriving at the destination page on our website. We track this click-through data to help us determine interest in particular topics and measure the effectiveness of our customer communications. If you prefer not to be tracked in this way, you should not click text or graphic links in the email messages.” Generally, when you mouse over a link the full URL is displayed. If a URL has a lot of confusing “trailing” data in the link, then it may be a good idea to avoid clicking it. If you must follow the link, you can copy the link and paste it into a browser like Tor (which we get into in Module 4). You can also experiment with deleting the trailing parts of the URL that you don’t understand, to see if you can get to the content you wanted without giving away too much about yourself.
Disable and Delete Cookies. Cookies are one of the easiest ways third parties have to collect information about you and then use it against you. Vendors use cookies to harvest your user behavior, combine it with other data they have collected in the past from you and from people like you, create a unique profile on you and then track and measure your behavior to modify the products that appear in your search results and the prices they offer you. The price you see is the one the provider determines is the highest you will tolerate paying – not the lowest! One of the best examples of this is when you search onlight for flights. Skyscanner, Google Flights, Kayak and others all use cookies to determine how much they can extract from you. Again, using a browser like Tor is a great way to make sure that you mask as much of the data that may negatively impact you as you can.
Disable Ad Tracking.Most web browsers offer a setting to turn off ad tracking. If you are going to maintain a public profile, then we recommend that you go through your browser settings to ensure that you have disabled ad tracking. To test your browser for ad tracking, to see how private it is, or if you suspect that you are being tracked, navigate to to test your connection and receive a detailed report of your ‘track-ability’ via your browser. Panopticlick also offers you detailed information about How to Debug Your Content Blocker for Privacy Protection.

PreviousLesson 3: Networking Layer NextPrivacy Architecture Summary

Last updated 6 years ago

Was this helpful?

The easiest way to think about all applications (from a privacy perspective) is to determine if an application is:

a) understandable (ie: I can clearly see the benefit of this application), and

b) critical (ie: I need this application).

If an application is neither understandable, nor critical the best course is to delete it.

Quick Tips to Enhance Your Privacy at the Application Layer

Limit the information you give away. While this may seem obvious, it needs to be stated. Think carefully when sharing information online and always ask yourself, ‘Do I understand why?’ and, ‘Is it essential to what I want to do to give this information away?’
Turn off your device(s). If you really want to prevent leakage of ‘about you’ data from your device, the best course is to turn it off when you are not actually using it.
Disable network connectivity. Next best thing is to limit network connectivity of your device. If you don’t need your device to be connected, disconnect it!
Disable Location Services. Location services is a feature of most smart devices, from mobile phones to laptop computers. Location services accesses the GPS functionality of your smart device and can leak massive amounts of metadata. If it is switched on, it is also accessible by default by many applications that hungrily harvest this “leaky” data. On Apple products this is easily managed under: Settings > Privacy > Location Services. On Android devices: Settings > Security & Location > Location >Turn Off Location. Unless you are using an app that needs Location Services, we recommend that you always set this to Off. Turning off location for your device turns Location Services off for all apps.
Disable Siri, Alexa and Cortana. Another functionality prevalent in modern devices is voice activation. Apple’s Siri, Amazon’s Alexa and Microsoft’s Cortana are examples of artificial-intelligence-driven listening devices that act as digital assistants for device users. While these listening devices may be trendy and convenient, the downside is potentially disturbing as the apps harvest and broadcast massive amounts of ‘about you’ data shrouded in mystery and user agreements that use legalese to mask data collection at an unprecedented scale. If you read the user agreements that govern the use of these applications you have to assume that these apps, that are always on and always listening, can be harvesting not just when you prompt them. Your personal voice data streams to corporate servers run with sophisticated artificial intelligence software; your private data is converted to text and stored for future use by even more sophisticated technologies. Smart-home devices can know when you are home, what your daily movements are, how many people you live with, when you have visitors and on and on. And once this data is transmitted, most of it is out of your control. While you may be able to delete some data, there are no control settings for ‘about you’ data harvested by these applications.
Delete Facebook. The Facebook App for IOS or Android is a monster spying application and one of the greediest data aggregator apps available. Even with your Location Services turned off, the app can leak location information via wireless, IP and MAC Addresses. But it certainly doesn’t stop there. A huge array of other information, including who you are with, when you got where you are, how long you’ve been there and lots of other revealing ‘about you’ information is constantly being farmed via device-native functionality including microphone and video. If you absolutely must use the Facebook app, for instance if you are posting regular Facebook Live videos, then at the very least turn off the location services, microphone and video settings when you are not using the app. Or better still, uninstall the app and reinstall it only when you need it. If you delete the Facebook App and still want to access the service from your mobile, use your browser, but make sure you log out at the end of each session and then clear your cookies.
Be Careful with Links. When you click on links in emails, PDF documents, other documents, and online, pay particular attention to the link. If it is a clean link like you can be pretty confident that you know what will happen if you click it. However, many links are far more complex and can be detrimental to your privacy. Pixel trackers in emails can run sophisticated scripts that can extract complex information from your device, including its feature set and the browser you are using. According to Apple’s user guide, “In some of our email messages, we use a “click-through URL” linked to content on the Apple website. When customers click one of these URLs, they pass through a separate web server before arriving at the destination page on our website. We track this click-through data to help us determine interest in particular topics and measure the effectiveness of our customer communications. If you prefer not to be tracked in this way, you should not click text or graphic links in the email messages.” Generally, when you mouse over a link the full URL is displayed. If a URL has a lot of confusing “trailing” data in the link, then it may be a good idea to avoid clicking it. If you must follow the link, you can copy the link and paste it into a browser like Tor (which we get into in Module 4). You can also experiment with deleting the trailing parts of the URL that you don’t understand, to see if you can get to the content you wanted without giving away too much about yourself.
Disable and Delete Cookies. Cookies are one of the easiest ways third parties have to collect information about you and then use it against you. Vendors use cookies to harvest your user behavior, combine it with other data they have collected in the past from you and from people like you, create a unique profile on you and then track and measure your behavior to modify the products that appear in your search results and the prices they offer you. The price you see is the one the provider determines is the highest you will tolerate paying – not the lowest! One of the best examples of this is when you search onlight for flights. Skyscanner, Google Flights, Kayak and others all use cookies to determine how much they can extract from you. Again, using a browser like Tor is a great way to make sure that you mask as much of the data that may negatively impact you as you can.
Disable Ad Tracking.Most web browsers offer a setting to turn off ad tracking. If you are going to maintain a public profile, then we recommend that you go through your browser settings to ensure that you have disabled ad tracking. To test your browser for ad tracking, to see how private it is, or if you suspect that you are being tracked, navigate to to test your connection and receive a detailed report of your ‘track-ability’ via your browser. Panopticlick also offers you detailed information about How to Debug Your Content Blocker for Privacy Protection.