Last Week on My Mac: Human frailty

By now we’re used to weekly, sometimes daily, revelations of major breaches of security and privacy, to the point where it’s probably easier to assume that anything transferred from your Mac to the Internet is, sooner or later, going to appear where you didn’t expect. But one disclosure stood out among those in recent months, detailed in this article by Alex Lomas of Pen Test Partners about the troilist dating service 3fun.

3fun, whose app is still available in the iOS App Store, caters for those who seek not one but two sexual partners. In bringing a threesome together, it necessarily obtains plenty of personal data, including precise location, gender, sexual preferences, and date of birth. It’s also, like so many such apps, largely a front end to a remote service whose data was apparently quite freely accessible to others. With a few carefully-worded requests, Pen Test Partners were able to discover a great many details about some of its 1.5 million users, including those with locations in places like the White House and the US Supreme Court (which could of course have been spoofed). It was also possible to obtain their photos.

3fun’s users were entirely willing partners in this: in paying their £27.99 per month (that’s an amazing £335.88 per year), its users were choosing to trust 3fun’s servers with information which they knew was sensitive, to say the least. That’s not something that iOS, macOS, or App Store review can currently guard against.

As with security more generally, the weakest and most easily exploited link in the system isn’t the operating system or local software, it’s the human frailty of the user, the sudden rush of blood away from the brain to other body parts which have seized priority. 3fun’s developers have been successfully exploiting that frailty. Assuming around a million subscribers – until last week at least – their service has been raking in over $20 million a month preying on their weakness.

Sadly, the world is full of people who have no compunction about such exploitation. So is the iOS App Store full of dozens, maybe hundreds, of similar apps offering to satisfy peccadillos in return for money. And in every case, all you have is their word that they’ll keep your data safe on your behalf.

Unfortunately improvements in the protection of privacy in macOS don’t help, in promoting a mentality that macOS looks after such issues for you. Neither can a software firewall, as it can’t tell you what data you are surrendering to the servers, nor how well protected they are from access by others. The first alarm bells are likely to ring only when someone like Alex Lomax checks those servers out, by which time you’ll have spent a ridiculous sum of money for others to publish details about you which you can only regret.

As in security, our systemic failure is in investing heavily in what are seen as engineering solutions. These might seem to put control in the hands of the user, but when your brain is disengaged and your only thought is about what cravings that service will satisfy, who’ll stop and think rationally? User consent is only valid when it’s meaningful, not under duress or gained by carnal inducement.

Surrounding ourselves with additional layers of engineering protection doesn’t help either. There’s nothing in your software firewall or VPN proxy that will shout “Don’t be so bloody stupid – you’ll regret doing this” and shake you by the shoulders. And for those who swear blind that it’ll never happen to them, I have a steady trickle of friends and readers who have at some time succumbed to these ploys of ‘social engineering’. They should act as warning to everyone that privacy and security are above all about protecting people from themselves.

Engineering solutions are also useless at assessing risk. As far as macOS privacy protections are concerned, that’s the user’s responsibility, as it is for a software firewall. This misleads us into thinking that the risk associated with, say, macOS checking signing certificates of first run apps is in the same league as sending your data to what we euphemistically call dating agencies.

Services like 3fun can come and go as they please: if this scandal forces them to close, there’s nothing to stop them being reborn under a different name and branding. If Apple were even to be suspected of abusing the data it receives for the validation of security certificates, the effects on the company would be catastrophic. We also know that Apple’s servers are very carefully managed, protected and guarded, and that Apple has deliberately built in protections such as differential privacy.

Yet we sit and fret about macOS ‘phoning home’ to Apple, whilst wondering when we can next set up a ‘date’ using unsecured servers which effectively publish our sensitive information.

User education isn’t the answer, and although putting cyproterone acetate in drinking water might seem attractive to some, what we need most is for the industry as a whole to accept ownership of these problems. If people can’t learn to protect themselves, maybe the industry has to accept that it mustn’t profit from human frailty, however indirectly. No reputable retailer would ever sell a product which they know is putting their customers at risk, and ripping them off in the process, would they?