Biased Information on Technology, Politics & Privacy

Missing: Mobile Firewalls

Marc Dahan

In a world where data privacy has gone mainstream, one can wonder why we have so little control over how and when our mobile phones connect to the Internet.

Computers that connect to the Internet need firewalls. That's a given to almost anyone who owns a computer. Firewalls are so ubiquitous to computer networks that they are, in one form or another, built-into every commercial router you can buy. Not only that, every major operating system has a native firewall built-in, with one notable exception: mobile operating systems. But a smartphone is nothing more than a computer that fits in your pocket and happens to make phone calls, right? So if smartphones are computers, why don't they have firewalls? It could have to do with the way mobile apps are monetized...

What is a Firewall?

A firewall is a network security device that sits between your local area network (your computers, tablets, smartphones connected to your router) and another network (typically the Internet). A firewall controls communication between the two networks. This means assessing the traffic in one way or another and then accepting or blocking that traffic based on preconfigured rules.

There are different types of firewalls. They differ in how they inspect your traffic, which determines the actions they can take: block certain types of traffic (UDP, ICMP, etc.), block traffic to specified ports, block certain URLs, etc. They also offer different levels of granularity. Some firewalls may perform deep packet inspection, some include anti-virus capabilities, while others are quite literally proxy servers used to log and filter connections.

But despite these differences, what they have in common is that their primary function is to keep unwanted traffic out of your network and devices. It may actually be make more sense to talk of “firewalling” your network rather than using “a firewall”. In that sense, ad blockers can also be considered firewalls of sorts. And if firewalls are so ubiquitous today, it probably means that there’s a lot of unwanted traffic out there. We know this: the Internet is rife with hackers, identity thieves and propagandists, who all want a piece of your personal information. But they’re not the only ones, corporations, governments (not just your own), law enforcement agencies all want in too. Firewalling your network, in one way or another, can help keep them out.

Surveillance Capitalism

We also know this by now: the business model of the Internet exchanges services for personal information. This means that in exchange for the ability to share your vacation photos with your friends on facebook, you agreed, when you clicked "I agree" (probably many years ago) to facebook's terms of service, which enable them compile and rent or sell, a detailed profile of you (and most of us) to anyone willing to pay. Google gives you "free" search results, in exchange for your search terms, your location, your clicks and anything else its sophisticated algorithms can glean about you. Just about every "free" Internet service works in this manner. It’s the now old adage that if you’re not paying for a service, you’re the product. But today one can wonder how accurate the "if you're not paying" part is, seeing as how many paid services choose to supplement their revenue by selling the data they collect, despite charging a fee for their services.

This exchange of personal data for online services is referred to as surveillance capitalism. It may sound ominous, but the term is accurate and the phenomenon it describes is old news. I say it’s old news because these practices went mainstream a long time ago. But, like the story of the frog who doesn't realize he’s being cooked because the water temperature is raised ever so slowly, the zealous collection of personal data creeped up on us without us realizing it. And while we’ve been aware of online advertising for a while - remember around 1997 when pop-up ads debuted and disgruntled the Internet with their obnoxious takeovers of our screens? - we may have focused on the wrong thing: the display of the ad, rather than the data collection it performs. This is a point I discussed here and that we've woken up to in recent years.

Today, most everyone acknowledges that personal information is the fuel of the Internet and many of us employ pop-up blockers, firewalls, anti-virus software and ad blockers, in an effort to safeguard at least some of our personal information when browsing the Internet on our computers. But what about our smartphones and tablets?

The Mobile Ad Blocker

In 2015, with the release of iOS 9, Apple decided to allow ad blockers for web browsers into their App Store. The advertising industry obviously wasn’t happy about that and it started “warning” us of the dystopian future we would face if ad blockers went mainstream. Well, we’re still here and mobile ad blockers didn’t kill the online advertising business model.

So why did they freak out? Because Web browsing on mobile was overtaking the desktop. They feared losing the unfettered freedom they had to populate your mobile screen real estate with their ads. But the point is that their doom scenarios never came to pass, despite mobile ad blockers being widely available on both iOS and Android. How come?

Because of the other piece to this puzzle: mobile apps…

Mobile Apps

In 1994, the first person-to-person SMS text message was sent from Finland and SMS messaging took off shortly after. By the early 2000s, advertisers were using SMS to send new promotions, loyalty offers, concert tickets, etc., to their known customer base. Media outlets also started sending ad-sponsored new alerts. Sound familiar? It should. That was the seed that grew into what is today a multi-billion dollar business model and industry: data driven monetization of mobile apps.

Arguably, the ability to send SMS (Short Message Service) text messages can be seen as being the first mobile app. The functionality was embedded in the phone, but was distinct from the telephony features of the device and it enabled data-driven monetization. The metaphorical embryo of a modern day mobile app.

So it started with SMS and flourished into every mobile app you can think of: from messaging apps and games to GPS routing, home automation and dating apps. And while their functionalities may vary, they all share one commonality: they are all monetized through ads and data collection..

And mobile is where it’s at. Here are a few statistics:

  • In 2015, according to Pew Research Center, 67% of U.S. adults owned a smartphone. That number goes up to 81%, in 2019.
  • Mobile web usage trends show it’s been steadily overtaking desktop web usage year on year. And in 2019, mobile markedly surpassed desktop usage by roughly 6%.
  • In 2017, according to Comscore’s Mobile App Report (slide number 7), the amount of time spent on mobile apps vs. the mobile web, was 87% to 13%, respectively.
  • In 2017, according to BusinessInsider: “Apps garnered 66% of mobile sales in Q4, and posted better conversion rates than the mobile web among North American retailers that generate sales from both”.

That last statistic refers to shopping apps (like the amazon app) versus their website counterpart on mobile (amazon.com). So the app version of the web store generated 66% more sales than its (mobile) website counterpart. But what about all the other apps? Games, News apps, Social apps, Fitness apps, Dating apps, Weight Tracking apps, etc.? They may not be explicitly trying to sell you something (beyond a subscription to their service), but they are very likely filled with first and third party resources that track your usage, activities and behaviour in the app.

In May of 2019, a Wall Street Journal investigative report found that, of the top 80 apps in the “Apps We Love” section of Apple’s App Store, 79 of them were using third-party trackers to collect data about their users. This is, of course, not exclusively an iPhone problem, but a smartphone problem, as the same thing is going on on Android - not to mention the fact that anything produced by Google should raise red privacy flags, given the company’s privacy-busting track record and business model.

What kind of apps did WSJ test? Everything from music streaming and weather apps, to news apps, to cloud storage and dating apps - pretty much any kind of app you can imagine. And what kind of data did they collect? Essentially everything they could glean: Device name and model, your name and phone number, your email address, your IP address, your contacts, your precise location at any given time. Neat, huh?

It’s a pretty bad situation… But wait! We have mobile ad blockers. We should be able to stop all that tracking by just downloading one from your smartphone manufacturer’s App Store, right? Wrong.

Mobile WEB Ad Blockers

As it turns out, mobile ad blockers can only help you when you’re using a web browser, not any other kind of app. So, for example, if I have a mobile ad blocker installed on my phone and I use a mobile Web browser to access the New York Times website, the ad blocker will work for me and block ads, trackers and the rest of these third-party parasites from harvesting my data. Download the New York Times app and open that up to read the news and your ad blocker is as useful as a dead battery. It won’t do anything.

So, more and more people own smartphones. More and more people access the Internet on mobile devices than on desktop devices. And once on mobile devices, more and more people access the Internet using apps rather than using a mobile web browser. But why? Why are people drawn to mobile over desktop and to apps over browsers?

The offering of an "enhanced experience" over traditional computing will obviously be touted by marketers as the driving force behind mobile app growth. But what does that mean exactly? In 2016, a marketing survey, by Sitecore and Vanson Bourne, listed the top expectations users had relative to mobile apps, and personalization was the number 1 factor driving user engagement to mobile apps and a top factor for mobile app growth.

Marketers have long known (and were reminded around 1997...) that their ads won't be deemed acceptable if they degrade the user experience beyond a certain tolerance threshold. Mobile apps offer an enhanced experience to the user over using a web browser or non virtual means to accomplish the same tasks. Enhanced tends to mean personalized (stored user settings), and personalization always means tracking. Very often, these personalization features are just a way of getting even more information out of you. Want a list of your favourite contacts to appear front and center in so and so app? No problem! Just tell them who your favourite contacts are… Want to be alerted when your favourite brands have flash sales? Great! Just disclose your favourite brands to the app maker. Are you starting to see a pattern here?

The Case for Mobile Firewalling

So, with most everyone moving to apps, which aren’t affected by any available ad blocker, any anticipated privacy gain from their use evaporates. Ad blockers on mobile should be system-wide and affect all network connections made by the device. If it’s not OK to track your web browsing, why is it OK to track your app usage? Maybe it’s not actually about being OK or not, maybe it has nothing to do with ethics at all. Maybe it has to do with the way mobile apps are monetized? Remember that WSJ article? It’s not the first of the sort. Similar articles are published almost every other week. A quick duckduckgo search yields immediate results. See here, here and here.

Now, making ad blockers system-wide and enabling them to firewall your network connections would admittedly be quite disruptive to the existing business model. But it’s a bad model. Perhaps it’s time we forced marketers down another path. And I suspect it wouldn’t even be as disruptive as one might think.

First, not everyone would install them. Just like now. The number of ad blocker users, even for traditional desktop computing varies by country, but caps at just below 30% for the countries with the highest adoption rate for ad blockers. It would probably be roughly the same numbers on mobile.

Second, let’s assume that a system-wide ad blocker prompts the user when an app attempts a network connection. Some might find that annoying and may stop using it. But for many others, it might just be an eye-opening experience. I suspect many would be be somewhat shocked at the sheer number of connection attempts their smartphones are making. That, in turn, could very well change the perception some users have of the companies, apps and services they interact with, which may motivate them to dum it down a bit and uninstall couple of apps. That alone, could weed out some of the worst offenders in that space. As it stands now, all this network activity is completely opaque to the user. One can perhaps understand why Google is happy with the status-quo, given how they make their money. But Apple touts itself as being very privacy friendly. How can they, when their third-party apps are rife with ads and trackers that operate in the dark?

Users should have control over the network connections made by the devices they paid for. It would force marketers down a more privacy-friendly path and the Internet would be a safer place for everyone - including Google and Facebook employees.

Note that recently, two “firewall” apps have been released on Apple’s App Store: Guardian Firewall and Lockdown Apps. Both apps work by initiating a VPN connection - so if you already use a VPN on your smartphone (and you should), you’re out of luck. Guardian Firewall, reroutes your traffic through their servers to block the bad guys, while Lockdown Apps creates a local proxy server through which the traffic is filtered (it still initiates a VPN connection, but it’s a dummy). While these are not perfect solutions, they definitely are monumental steps forward - in principle - but we need to go further. A local, on-device, customizable and transparent “firewalling” app that doesn’t depend on a VPN connection (real or fake) is what is needed. Yes that would mean Apple opening up a new API or developing it themselves. Apple claims that "what happens on your iPhone, stays on your iPhone". Sure - just don't install any apps...