Bit of a different “news story” but we’ve picked up a story on Twitter that could have some worrying privacy implications for UK consumers. Ipsos MORI is sending out mail to get UK residents to take part in an “exciting new research study that looks at how people in the UK use, consume and interact with the internet.”
To take part, they’re asked to go to a website from their smartphone, computer or tablet to download the app which then asks users to allow the app to make and manage phone calls, access the location and allow it to record audio. It also requests to install a root certificate to the device. They are to do all this for an initial £20 in points and an additional £5-£10 in points per month thereafter.
The Ipsos Iris Blue app permits the operator to access all network communications of the device it is running on including content protected SSL/TLS encryption (with the exception of traffic used by apps using correctly implemented certificate pinning). In addition, the app can access all content displayed on the device screen. A user might decide for themselves that they are willing to grant a third party this level of insight though it is doubtful that many would if they fully understood all the privacy implications. However, if a personal device running this app were used for work it could easily expose confidential documents and data to the operator, who has no commitment to the employer of the device\’s user. As a result, this app could expose both the user and possibly their employer to significant legal risk.
People need to remain constantly vigilant to protect their cyber security and privacy. While it\’s true that most attacks against individuals will come via phishing emails, that doesn\’t mean they won\’t be approached via phone calls, SMS, or in this instance via regular mail.
While the intent of the market research organisation may be genuine, the fact is that by installing the software and participating, users are rendering all of their device security useless. People should always be wary of anyone that asks them to install software, particularly if it involves accepting or bypassing security notifications.
With this particular offer, people are incentivised by the potential of gaining £5-10 a month in points by participating. This is no different from the old methods of asking for people’s passwords in exchange for a chocolate sweet. People need to remember that their data and personal information is worth a lot more than £5 a month and should not compromise their privacy for such a trivial amount.