“If you’re not paying for it, you are the product”.
The sentiment was coined decades ago, but it’s more pertinent than ever; if you got that service for free, perhaps you’re the product being sold to someone else… but which part of you is being sold? Just as importantly, who developed it and why?

  • Another way of looking at it is “there’s no such thing as a free lunch”.
  • Also, it’s extremely likely that “if it seems too good to be true, it probably is”.
  • Plus, the Duck Test still holds: “if it looks like a duck, swims like a duck, quacks like a duck, then it’s probably a duck”.

Why the rhetoric? Because asking these questions can keep you safe; it’s precisely these principles behind the security vulnerabilities and data breaches, from which we’re all trying to protect ourselves. You may be surprised to learn that the free app you downloaded isn’t free at all: it’s collecting information about you and selling it to someone else. If you’re lucky, it’s anonymised metrics, off to somewhere trustworthy – and you may be cool with this – that’s great. However, if you’re unlucky, it could monitoring you, pumping your contacts, data and credit card details to people you really don’t want to have it.

Examples:

  • Benign? Many Websites: showing tailored adverts based on your browsing patterns.
  • Benign? Shazam: collecting data and using it to analyse trends, which are sold to large organisations to predict sales, inform marketing etc.
  • Benign? AVG Free Antivirus: if you’re using the free version, your browsing history’s for sale, maybe even your private browsing – they have the ability.
  • Suspect? Google (search, Gmail, YouTube etc): watching every move, building a huge repository of information about you and your habits; the EU Justice Commissioner believed it breached EU Law.
  • Suspect? Facebook (instagram): really, you already know what they’re doing, but do you trust them?
  • Harmful? Brain Test App, essentially pointless, but software which caused the infection of 1 million Android devices and undermined Google Play’s security.
  • Harmful? WeChat, NetEase and other apps on Apple App Store, which had been compromised when developers used an Apple XCode Development kit, which they didn’t download from Apple (why?). It’s thought these apps then tried to steal iCloud credentials (i.e. it’d give them everything).
  • Wrong? StealthGenie: Spying on you, via your microphone, camera or location

There’s no foolproof way to fully mitigate against this, but there are a few good pointers – reputable companies, trusted organisations, well known products… and a healthy dose of skepticism and common sense.

Lessons:

Next time you’re considering downloading something free, or almost free, be skeptical. First ask:

  • What information could it hold?
  • What could it really do with that?
  • Do I really need it?
  • How do they make money…
  • If they sell me, is it a fair trade?
  • Do I trust them?

So, remember, when you’re looking for that elusive deal, if you’re not paying cash, you’re paying with personal information.