Short answer: much more than you think.
Recently I heard a fascinating Planet Money podcast on a project called Project Eavesdrop (podcast here) which NPR's Steve Henn conducted jointly with Ars Technica's Sean Gallagher and Dave Porcello, CTO of Pwnie Express, who make penetration testing tools. The point of the project was to determine what you could find out about a person's internet activities by passive monitoring of their Internet traffic. They monitored Henn's smartphone when it was connected to the WiFi in his home as an analogue to a signals intelligence service's (e.g., NSA or GCHQ) monitoring of the internet backbone. The results were astounding.
Henn invited Gallagher to install one of Pwnie's devices in his home office so that Porcello could snoop away at his phone's online footprint when connected to the WiFi hotspot. To be clear, the Pwnie device's WiFi was secured with WPA, so this was not an over-the-air snooping test. This was a simulation of what was being disclosed over the backbone.
NPR had a reasonable level of operational security around their email system, yet they were able to identify which Steve at NPR owned the phone because the weather app on the phone leaked his location information in the clear. Thus they knew it was Steve Henn on the West coast rather than Steve Inskeep on the East.
Things like his personal finances were not exposed, since his bank was using encrypted web sessions. But despite the increasing use of encryption by the big internet powerhouses, post-Snowden, there are still things that leak out in the clear. Through search history cookies and map requests, Porcello and Gallagher were able to get
- The nature of the story Henn was working on
- The places he was going to visit as part of his reporting
- The phone numbers of some of his sources
- The complete audio of one of his interviews before the show aired
I'm not going to go into all the details here. The podcast makes fascinating listening (and it's only 15½ minutes long) and I'd rather let Henn tell his own story. For the technical detail details, see the Ars Technica piece.
So what can you do to defend yourself?
A few weeks later, Gallagher did a review of the Blackphone, a soon-to-be-released smartphone designed with security in mind. It is a fork of Android 4.4. Many of the Google applications have been replaced with more privacy-sensitive third party apps. It comes with a secure voice, video and text service, a VPN service with anonymizing search for the browser, and a secure cloud storage service. The OS has granular controls over app access to data. What the phone does not have is an App Store, which leaves users without curated access to add-on applications. Geoffrey Fowler's WSJ review of the Blackphone and the FreedomPop privacy enhanced Galaxy S2 suggests that consumers who opt not to buy a built-for-privacy phone (and he interviewed at least one expert who suggested sticking with iPhone and locking it down) take some precautions to protect their privacy:
- Password protect your phone and use encryption. (Encryption automatic in iOS if you set a passcode and a separate option on Android)
- Choose encrypted calling and chatting apps
- Update your software religiously
- Turn on a VPN in unsecure locations. (More on this below).
- Get a second phone for super-sensitive work
I heartily endorse the use of a VPN. The one I am currently using, F-Secure Freedome, is always on, no matter whether I am on an unencrypted WiFi hotspot or a trusted network. That's because it anonymizes my IP address, deletes tracking cookies, and blocks phishing web sites. The VPN used by the Blackphone, Disconnect, offers similar services. The FreedomPop phone also comes with a VPN. There are other VPNs as well although not all bundle in as much anonymity.
The upshot is that we all need to get a lot more serious about how we protect our privacy on our mobile devices.