privacy

Another Tale of Personal Data Harvesting: Alsid, Lusha.co and Simpler Apps

nightwatchcyber Research

After reading a recent post by Antoine Neuenschwander, we wanted to share a similar experience from one of our consultants regarding the sale and use of their personal data, featuring many of the same players as Antoine’s post.

Part 1 – The Sales Call from Alsid

One of the many scourges of modern work is the fact that salespeople try to reach you all the time. In this particular case, our consultant was called on their work phone, via email and LinkedIn by someone from a French cybersecurity company called Alsid. Then to their surprise a call from France rang on their personal, US-based, cell phone and left a voicemail. That got them curious – how did this company get a hold of a personal cell phone number? Being that the company is French it is subject to GDPR so they asked for a copy of their data held by the company. The company did provide a fairly extensive GDPR response but the cell phone number wasn’t in it! After follow-up questioning, they eventually dug it out – their salesperson got it from Lusha.co:

Screen Shot 2020-02-10 at 11.07.33 PM

There are several privacy concerns here:

  • Why was the number not provided in the initial GDPR request?
  • Did the caller check to make sure the number wasn’t a wireless phone AND wasn’t on the Do Not Call List (since it is illegal to place telemarketing calls to such numbers in the US)?

Part 2 – The B2B Contact Enrichment Tool – Lusha.co

Lusha.co provides a set of plugins that can enrich LinkedIn profiles – so if you are looking at someone’s profile, they can supplement that with the person’s phone number or email from another sources. The website, marketing materials and privacy policy are pretty explicit about this:

Screen Shot 2020-02-10 at 11.12.56 PM

And (emphasis added):

Our Services are designed to help Users and vendors (e.g. HR professionals, B2B partners, sales platforms) validate and verify contact information and to find business profiles they seek in order to interact with relevant Contacts (as defined below), through access to business profiles retained in Lusha’s database (“Lusha Database”). 

A data request sent to Lusha.co resulted in the response below. Note the language around Simpler – specifically the last paragraph. It seems that Simpler provides mobile apps to be used for “verification”, then those apps slurp up the user’s contacts and share them back with Lusha.co:

Screen Shot 2020-02-10 at 11.25.52 PM

Excerpt of the text appears below:

Simpler also offers its users the opportunity to contribute to a collaborative security effort, meant to assist in authenticating the identifying attributes of an individual. This effort can assist in establishing a trusted channel of communication for online and offline interactions.

If a Simpler user consents to contribute to this effort, basic contact information (name and phone number) found within such user’s contacts may be shared with Lusha, which implements the security solution.

If you dig deeper into the Lusha.co materials, a lot of similar language appears there as well.  Instead of a discussion of B2B contact data, it suddenly becomes a matter of “security“, “trust” and a “collaborative security effort“. When you look at their data page (emphasis added), note that the language quickly changes from “lead enrichment” or B2B data” to a “collaborative security effort”:

Lusha’s core purpose is to make online engagement safe and efficient. In today’s fast-paced and multi-layered world, one of the main challenges to online users is trust. A major risk in online interactions is the risk of encountering fraud, whether by phishing attempts or by identity theft. Widespread fraud can lead to the loss of customer trust, extra costs of time and money required to manage fraud incidents, damages to the reputation of individuals and institutions, possible legal costs and many more negative outcomes.

Lusha’s unique solution is based on a collaborative security effort, effectively utilizing information to verify online identities. The Lusha service provides its users with valuable insights and assists in authenticating the identity of individuals in the online sphere.

There are several privacy concerns here:

  • Why is a tool that claims to provide B2B information obfuscated behind being “a security solution”?
  • How can “security” and “trust” justify essentially taking users’ address books from their mobile devices and selling that data for marketing?

Part 3 – The Mobile Address Books from Simpler

The link provided by Lusha actually leads to the Google Play Store. This leads to two apps – Simpler Caller ID and Dialer, both apps with more than 5 million installations each. The link on the store listings leads to the company’s website where third app is listed – EasyBackup, a contacts backup manager (only for iOS). That one is owned by a different company called “Top Floor” which also makes an app called “Cleaner Pro” (for iOS) which claims to remove duplicate contacts. Mailing addresses for both companies go to co-working spaces: one in Brooklyn, NY and the other in Los Angeles, CA.

Here are the apps:

The Simpler Apps website still lists all of these apps as being theirs:

Screen Shot 2020-02-11 at 11.08.27 PM

A request was sent to Simpler for copy of the data they collected, and the following response was received – no data. A follow-up response was sent and a response is still pending:

Screen Shot 2020-02-11 at 11.01.27 PM

At this point we are at a dead end with Simpler, but further research reveals the following nuggets buried in the terms of use and privacy policy:

By using our Services, you acknowledge and agree that we will share contact information with other users our affiliates and business partners for the purpose of ensuring that their current contact information is up to date. You acknowledge that you have the rights and permissions required to allow us to share such contact information.

And:

We do not share your Personal Information with third parties except:

  • The Services are based on contact management and Caller ID (if applicable), therefore, we will use your number and contact for this purpose. This disclosure is also important to individuals that are not our users which may be identified by the caller ID. We enable an easy opt-out in the event you no longer wish to be identified, for more information see the User Right section below.

  • We may also share Personal Information with (i) our subsidiaries and business partners if needed; (ii) subcontractors and other third party service providers (e.g. payment processors, server, cloud management, etc.); and (iii) any potential purchasers or investors of the Company.

There are several privacy concerns here:

  • Why is a tool that claims to provide tools for making sure contact information is correct, selling data for marketing?
  • What is the connection between Simpler and Lusha.co?

Part 4 – Tying It All Together: Lusha.co and Simpler

At this point, it is fairly clear what happened – a bunch of mobile apps slurp app contacts from their users’ address books and provide it to Lusha.co to be used by marketers and recruiters. This is being presented as a “collaborative security solution” while it is essentially just selling personal data, albeit with an opt-out available. What is frustrating about this, is that regular users who are friends with the people being targeted are installing these apps, thinking it is just a simple utility while all of their contacts are actually being sold behind their back. At the same time, Lusha.co is claiming to be a security solution while they are clearly not.

data_flow

But, there is more … a set of simple Google searches shows that one of the co-founders of Lusha.co (“Yoni Tserruya”) is actually the original app developer for all four of these apps (here, here, here and here). Furthermore, if you download the Android apps provided by Simpler and look at the signing keys via jadx, they are issued to the same person as seen below:

Screen Shot 2020-02-11 at 7.40.10 AMScreen Shot 2020-02-11 at 7.40.25 AM

Now these apps are being published by companies other than Lusha.co – Simpler Apps and Top Floor, but are they subsidiaries or related to Lusha.co? If they are, then the privacy policies seem to allow them to transfer data from these apps back to Lusha.co. Overall, the arrangement may be legal but perhaps unethical.

Bottom line: this example highlights yet another way personal data is harvested, sold and re-used for commercial purposes.

Vendor Responses

We reached out for comment to all of the companies mentioned in the article and will update the blog post with feedback or comments.

Opinion: Privacy is Dead: It’s Time We Admit It

nightwatchcyber Opinion

“And even inside your mind, do not curse the king, and in your inner bedroom do not curse the rich, for a bird may relay your voice, and a flying thing may retell the matter.” (Ecclesiastes 10:20)

Hacking is all the rage these days — it seems that every week another organization is getting breached and their users’ data is splashed across the Internet. Small businesses, big government agencies, mundane emails, and national security files, are all fair game. After all, the logic goes — they should have known better: they should have secured their files, did better background checks on their employees and contractors, applied encryption, and in some cases simply locked the doors and alarmed the windows. And now, that the cow has left the barn, and the breaches happened, we respond in a typical American fashion — we fine them, we sue them and sometimes we fire them.

However, this simplistic view misses the essential truth of today’s hyper-connected world — our privacy is dead. As a matter of fact, it has died long ago, and we are simply not able to face the truth. In the world where almost everyone is carrying a cell phone that is capable to recording and transmitting video and audio, privacy does not exist. In a country that records the phone calls, and electronic activity of its citizenry in a quixotic quest for national (in)security, privacy cannot exist. In a state that reads the license plates of its taxpayers’ cars as they travel in public, privacy will not exist. And on the Internet, where everything is connected to everything else, privacy never existed.

We are surrounded by an ever increasing number of machines that constantly record everything we do. Ranging from cell phones, personal computers, Internet-connected appliances, to license plate readers on police cars, cameras at intersections, drones and satellites, our every single step is theoretically seen, heard, and possibly recorded by some machine, somewhere. Every time we interact with governments, businesses, or even each other, those interaction generate digital files and tracks. As more and more devices become intelligent, and connected to the Internet, that tidal wave of personal data collection will become a deluge. Within a few years if not already, it is probably safe to say that it would be possible to reconstruct most of our daily activities from our digital footprints on the sand shores of the Internet of things.

The “Inter-net” by its very name and nature, was designed to connect machines, networks, and human beings together in a seamless fashion. Why is it then that we are surprised when our information including medical records, tax returns and polygraphs can easily be pilfered by digital bandits from so-called “secure” places? That is the nature of the beast that we created — everything is connected to everything, and it is getting harder and harder to keep the bad guys out. The hacks and data breaches which are getting more common, and bigger in size and scope, are canaries in the digital coalmines. The only thing that is holding back the deluge is the fact that there aren’t enough trained people available to break in, take and interpret this data. However, as artificial intelligence is constantly being improved, it would only be a matter of time until machines can steal and analyze better than humans.

It is time that we woke up from our dream world, and admitted to ourselves that privacy does not exist. We should be aware that we are constantly being watched by thousands of eyes, and being heard by thousands of ears, and not always knowing of who the watchers really are. We need to start pushing back at both businesses and governments, letting them know that we value our personal privacy and do not appreciate our information, whether mundane or intimate, being collected and shared. We should also start re-evaluating how much personal information we ourselves share with others on a daily basis, and whether all of it is really necessary. And we need to start unplugging ourselves more often and enjoying the company of other humans instead of machines.