Privacy experts call them "lunchtime attacks": when your friends, family or coworkers secretly access private data on your smartphone, without your knowledge. And this type of attack is a lot more prevalent than you might expect. A new paper from researchers at the University of British Columbia and the University of Lisbon estimates that as many as one in five people has accessed a friend's smartphone, without that friend's knowledge.
I mean, c'mon guys, I thought we were better than that.
The team recommends using strong passwords and keeping an eye on your device, but they found that those obvious pieces of advice still weren't enough to stop 31 per cent of participants in an online survey. Based on their responses, that number was estimated to have sneakily looked through someone else's device, at least once, within the past year. (Weighed to the US population, the researchers estimate that one-in-five adults has snooped on at least one other unknowing person within the year.) One of the authors, Konstantin Beznosov, who's an associate professor of electrical and computer engineering at UBC, defined the vector of the attacks as "social insiders."
Watch more on Daily VICE:
"[It's] somebody who is from your social circle: like your friends, your relatives or maybe roommates and coworkers," said Beznosov. "They have more chances to have access to your phone, physically. For example, when you leave your phone to go to the washroom or when you leave it on your desk.
"They are in a much better position than strangers to actually access your phone without your permission." Ironically, that's probably because you trust them more than you would a stranger.
Younger people have a higher tendency to execute a social insider attack
The paper, which is being presented at the Twelfth Symposium on Usable Privacy and Security on Thursday, acknowledges the difficulty of getting people to admit they're kind of being dicks, even though the survey was done anonymously.
Using Amazon's Mechanical Turk system, researchers broke participants into two groups—an experimental group, who were asked indirectly about their snooping habits, and a control group that wasn't. Now, the experimental group wasn't simply questioned on whether they had gone into other people's devices without telling them, because that would have been, quite predictably, met with dishonesty.
"This type of behaviour is associated with a social stigma," said Beznosov. "Most people would not honestly answer this question. Even if they were asked in anonymous way."
So, instead of asking people individually about their snooping habits, the researchers presented them with a "list experiment." That means they were given a list of statements, and asked how many—but not which specific ones—they agreed with. The experimental group was presented with this statement, among a range of others: "In the past 12 months, I've looked through someone else's cell phone without their permission."
Based on their responses, the paper authors estimate that 31 percent of participants had gone through somebody else's phone, without their knowledge, in the 12-month period before they did the survey.
"An aggregate estimate of positive response can then be calculated" according to the difference between groups, the paper explains, which is possible without knowing the "true answer" of each and every respondent.
"We had over 1300 participants in the study," said Beznosov. "We were able to measure the difference in the control group and the experimental condition. The difference allows us to measure how many participants were really engaged in this behaviour."
According to the study, younger people have a higher tendency to execute a social insider attack. "Being young and owning a smartphone, variables which the model suggests to be indicative of higher likelihood of engaging in snooping attacks, are also the typical characteristics of 'digital natives,'" said the study.
Seriously, we should know better. We have way bigger problems to deal with in the realm of digital privacy, than worrying about our own friends spying on us. We don't need to be threats to each other.
Correction: The original piece did not mention researchers from the University of Lisbon, who were co-authors on this paper. The story has been updated to reflect their contribution.