Trackers hidden inside apps and websites collect intensely personal data about children that is used to manipulate them.

[Update: check out the launch coverage of DNT Kids in the Washington Post and in Gizmodo.]

According to a recent study by Super Awesome cited in an excellent article about children's privacy in the Washington Post, "By the time a child reaches 13, online advertising firms hold an average of 72 million data points about them."

Another recent study by ad fraud company Pixalate identified and analyzed 1,000 of the most-popular "child directed" apps available. The study showed that more than two-thirds of the top kids apps found in Apple's App Store and 79% of the top kids apps found in Google's Play Store collect and share personal information. For example in the top child-directed apps, 76% found in the Play Store and 67% found in the App Store transmitted location data; 73% found in App Store and 35% in the Play Store had the potential to access personal data via permissions; and 50% found in the Play Store and 33% in the App Store transmitted IP address.

These studies are by no means outliers. One recent study revealed that 90% of educational apps and websites sent information to ad-tech companies. And in 2020 a study of pre-school apps showed that two-thirds collected and shared identifying information.

We recently launched a dedicated category to protect children against TikTok surveillance. As our announcement made clear, "TikTok is a Massive and Growing Surveillance and Propaganda Threat". TikTok has been the most popular app over the past few years and According to the New York Times one-third of TikTok's users are reportedly 14 and under. TikTok not only collects and analyzes everything its users do inside their app, but TikTok collects extremely personal information across a range of highly sensitive websites - WebMD, MayoClinic, PlannedParenthood, etc. - and tracking not just TikTok users but ALL website visitors including children.

The extent to which kids are being tracked is shocking and may have serious implications as children are more susceptible to being manipulated online. The more that marketers know about a child, the easier it is to control the thoughts and actions of that child. In many cases, marketers are trying to get the child to click an ad, and in fact research suggests that children often can't distinguish between ads and content. Sketchy ads are just the tip of the iceberg; data collected about our children could also be weaponized by a bad actor, or an adverse nation state, to influence their views on things like geo-politics, personal freedoms, or religion.

This should be illegal, but there's a well-known loophole that trackers exploit.

The idea that children's privacy should be protected is not controversial. Literally no politician would publicly oppose stopping online surveillance of children at the scale that is happening. Yet the only law in the U.S. that specifically protects children's privacy has a massive and very well-known loophole that pretty much all trackers utilize.

The Children's Online Privacy Protection Act (COPPA) makes it illegal to collect certain data about a child IF the tracker has actual knowledge that the subject is a child. So guess what trackers do? They pretend to close their eyes so they can avoid actual knowledge that a user is a child. This practice is so widespread that a 2018 study of over 5,000 popular children’s apps discovered most of them were potentially violating COPPA.

Common sense dictates that an app that is specifically created and marketed to pre-school age kids would in fact be used by children. But unless the app developer specifically asks the user's age, they can just keep on tracking and embedding surveillance technologies created by big tech companies like Facebook and Google, or thousands of smaller data brokers you've very likely never heard of, that are in the business of collecting and selling personal data.

The sad reality is that trackers are legally able to collect and share data about users they clearly know are children and then target kids with manipulative ads and messages specifically tailored to their interests and online activity.

Do Not Track Kids educates kids about privacy and blocks trackers across all websites and apps.

Do Not Track Kids is the first app designed specifically to educate kids about online privacy and help protect their devices from hidden tracking. Disconnect utilizes innovative technology and deep privacy expertise to block trackers and ads that secretly collect children's data inside apps, browsers, and email! DNT Kids works across the entire device to prevent tracking of location, website visits, app and email activity, and more. DNT Kids also blocks malicious ads and content that threatens you and your child's security.

In addition, DNT Kids encrypts and filters the Domain Name System (DNS) connections your device makes in the background. DNS encryption prevents snoopers from accessing your browsing history and is an important security feature.

Finally, DNT Kids provides lessons on a broad range of privacy issues. The app helps your child learn about online safety and how to take control over their personal data and online safety.

Once you or your child turn on protection, feel free to close the app and use the device as usual as our protection quietly keeps the device safe. Use this app as standalone protection or in combination with our other great privacy apps! Download Disconnect Kids on all your iOS devices today!

TikTok is a massive and growing surveillance and propaganda threat—we launched a dedicated category to protect against TikTok tracking.

TikTok has literally exploded in popularity over the last several years. Their app has been downloaded more than any other over the past 18 months, now has more than 1.6 billion monthly active users, and was the world's most visited site in 2021. According to the New York Times one-third of TikTok's users are reportedly 14 and under.

Users aren't just downloading TikTok and using it once in a while. In fact, on a per users basis people spend more time on TikTok than the notoriously addictive Facebook and Instagram apps combined. Kids, especially, just can’t seem to stop watching TikTok.

Because of the short video format found on TikTok, the company receives a massive amount of signals from its users. Not just the type of video that you watch, but whether and how much you re-watch, pause, zoom, comment, follow, share, scroll past, skip, etc. These micro-signals when combined with your location data, allow TikTok to gain deep insights into who you are and not only what videos will keep you watching, but what type of advertisements and messaging you'll respond to.

Relying on surveillance to target advertisements at its users, TikTok has recently turned on the money firehose and is on track to make $12 billion or so in revenue this year. Still a private company with no public reporting or transparency, TikTok's last valuation of $360 billion reflects investor confidence in not only TikTok's growth trajectory and engagement but in its ability to monetize user data.

Our research reveals that TikTok tracks highly sensitive data about everyone who visits popular websites.

We recently partnered with Consumer Reports to investigate TikTok tracking pixels embedded in websites. You can and should read Consumer Reports excellent story featuring our research.

Our results show that thousands of popular websites, including major websites that have a heightened expectation of privacy - like WebMD, the Mayo Clinic, Planned Parenthood, RiteAid, several financial and educational sites, even the Girl Scouts - embed TikTok's tracking pixel. For every website visitor, even those who have never used the TikTok app, TikTok may receive a user identifier (IP address plus digital fingerprint) and the exact page that was visited, what a person clicked on, typed, or searched for depending on the website.

As we show below and highlight in the articles above, the nature of information TikTok collects is incredibly sensitive and should absolutely not be collected without explicit user notice and permission. Yet none of the sites we analyzed that integrated the TikTok tracking pixel gave any actual heads-up to the user about TikTok's data collection.

As our Chief Technology Officer Patrick Jackson told Consumer Reports: “The only reason this works is because it’s a secret operation. Some people might not care, but people should have a choice. It shouldn’t be happening in the shadows.”

We are publishing some of our research to highlight the incredibly sensitive nature of the information collected by TikTok (and many other trackers)

Our initial task was to scan about 20,000 websites to detect the use of the TikTok pixel. Out of the 100s of websites we identified, we were then asked to focus on 15 websites and dig into exactly what data TikTok was receiving from these sites.

Here are some examples of what we found.

Rite-Aid: TikTok able to collect searches, every product page viewed, cart, checkout

• On RiteAid (http://riteaid.com) we observed 16 network connections to TikTok during every page load.
• All user activity while on TikTok is logged to TikTok. For example, when a user searches “Plan B”, every step the user takes (searching “Plan B”,
  viewing product page, adding to cart, checking out) is logged to TikTok
  with no user opt-in or even acknowledgement that TikTok is collecting
  this data.

WebMD: TikTok able to collect searches, page views

• On WebMD (http://webmd.com) we observed 14 network connections to TikTok on the homepage.
• Not all pages will trigger connections to TikTok, but when a user navigates to a page that does, it can leak previously navigated pages by
  sending the page’s referrer. Because of this, TikTok collects which symptoms users are searching for. For example, when a user searches for “erectile dysfunction”, TikTok also collects that information.
• Also, searching “heavy periods” and then clicking on the top menu to view information about cancer, TikTok can see previous viewing information about heavy periods.

Mayo Clinic: TikTok able to collect searches and page views

• On Mayo Clinic (https://www.mayoclinic.org/) homepage load sends 14 network requests to TikTok.
• TikTok collects when users do private searches like "abortion".
• After being contacted by Consumer Reports, we verified that Mayo Clinic did remove TikTok pixel.

Planned Parenthood: TikTok able to collect data on nearly all pages

• On Planned Parenthood (https://plannedparenthood.org) initial page load sends 16 network requests to TikTok. – TikTok data collection detected on most pages tested (notably no TikTok tracking found on pages related to booking abortion appointments).
• Sensitive pages that include TikTok data collection, include but not limited to, learning about birth control, donating, and taking an emergency contraception quiz.

RAINN ("The nation's largest anti-sexual violence organization"): TikTok able to collect data on nearly all pages

• On Rainn (https://www.rainn.org/) TikTok was observed collecting data on almost every page loaded.
• Every page load tested sends at least 30 network connections to TikTok.
• Many sensitive pages on website would send data to TikTok. For example, a person viewing Rainn’s guidance for what to do after a sexual assault, would have that data sent directly to TikTok.
• Loading the donation page to Rainn also sends this data to TikTok.

Collected data used for more than ads: mind control is sometimes the aim

TikTok, like other social media apps, is obsessed with growth, user engagement, and revenue generation through advertising. Ad space is sold to pretty much anyone with a credit card. Advertisers could be selling a product, but they could just as easily be trying to influence what people think or how they act. Ads aren't just bought by companies, but also by government-sponsored actors. In addition, government-created accounts or accounts controlled by a government may act to influence their audiences on behalf of the government.

Government influence operations via social media are prevalent because social media ad networks provide the ability to target users very effectively based on all the data large social media companies collect about their users, including online activity, social graph, location, purchases, etc. One recent high-profile example includes the Russian disinformation campaigns in support of Trump's 2016 election via Facebook, Twitter, and other major social platforms. More recently, Meta/Facebook says it removed "China-based propaganda targeting the US midterm elections". In addition, to China and Russia, the US, Iran, and other large nation-states have had government sponsored influence campaigns taken down by Facebook, Twitter, Google, Snap, and more.

TikTok operates under control of Chinese government, but is banned in China

TikTok is owned by Chinese company ByteDance, however the government doesn't allow TikTok - like Facebook, Twitter, and many other social media companies - to operate in China. Although people in China may not have access to using TikTok, under their laws the Chinese government is able to access TikTok's data basically at will. Recent investigative reports make clear that the Chinese government "has access to everything" inside TikTok and is able to act as a "Master Admin".

No matter your politics, most would agree that the Chinese and US governments are adversaries in many respects. Chinese strategic goals most certainly include weakening the US and strengthening its own interests. TikTok is seen as an increasingly powerful tool for China to influence the minds of US-based users, especially children.

Professor Scott Galloway, calling for a ban on TikTok, puts it this way: "The tip of China’s propaganda spear is TikTok, which has a direct connection to the midbrain of a billion people, including nearly every U.S. teenager and half their parents . . . now China commands the most powerful propaganda tool." Galloway argues that the Chinese government can and likely does use TikTok to subtly influence the minds of users on a range of topics that are in the interests of the Chinese state. Some of these topics could be fomenting political or social discord in the US, working to undermine democracy and capitalism, and of course, censoring any videos that reflect poorly on China while promoting videos that portray China in a positive light.

We have a new category dedicated specifically to blocking TikTok tracking

Based on our research, we are excited to announce that we now have a specific category dedicated to blocking TikTok tracking in websites and apps not owned by TikTok. By default when you use our apps and browser extensions, we block the primary TikTok tracking pixel. If you're using one of our great iOS apps, we also give you the power to ratchet up the protection to Aggressive or Strict blocking.

Our mission at Disconnect is to put you back in control of your privacy. Giving you the power to block TikTok tracking is another way we help you enjoy a safer internet!

Tracked within a matter of a few feet at all times. Location data can be combined with other sensitive online activity to create a detailed profile of where you go and what you do online and IRL.

As a spate of recent investigative reports make clear, there are no laws in the US prohibiting the sale of your location information. This report in The Markup illustrates how a lack of regulation leaves people vulnerable to location tracking and not surprisingly plenty of companies are taking advantage. In fact, the market for your phone's location data is estimated to be over $16 billion in 2022 and that market is increasing fast with an estimated compound annual growth rate of 15.6% from 2022-2030.

Just how many people are having their location tracked? Well The Intercept recently profiled a small company most people have never heard of, Anomaly Six (A6), that has boasted about its ability to track the real-time locations of 3 billion devices. Another little known location tracker, Near, says they have collected data on 1.6 billion people in 44 countries. Yet another obscure company, Mobilewalla, claims to have location data about 1.9 billion devices. These and many other data brokers claim they are able to track and save people’s precise location data within a matter of feet throughout their days, everyday, for years. So probably safe to assume if you have a smartphone, you're vulnerable to having your location tracked in ways you may not desire.

But how do these small, random companies get location information from your device? An excellent report in The Wall Street Journal illustrates exactly how. The WSJ story focuses on how analytic and ad trackers embedded in the gay dating app Grindr collected and then sold its users location data to data brokers.

Recent reports like the WSJ story highlight not just a vulnerability in one app or the ability for one company to buy location data, but a much larger and pervasive problem that we at Disconnect have been warning about for many years: the vast majority of apps integrate tracking technologies that expose user details to hundreds or thousands of unknown parties. Apps that encourage users to share their location information are able to harvest valuable data that often is core to how they make money.

Detailed profiles of individuals are being built, bought, and sold by companies you've never heard of all the time and much of this is accomplished through software development kits (SDKs). There are thousands of data sharing partnerships (the type which neither app makers nor data brokers rarely, if ever, publicize) to collect pinpoint location data on billions of devices through these SDKs embedded in apps. Many apps require location-based services to be turned on in order to function but do not explicitly inform people of the potential privacy implications.

This detailed location information can then be correlated with online activity and personal hard identifiers - email address, real names, home address, place of employment, etc. - presenting serious privacy and security issues. What’s even more concerning is that anybody can legally buy access to all of this very sensitive personal information, making it critical for users to protect themselves.

Tracking technology is getting more sophisticated with the ability to track people from their homes, to work, on vacation, everywhere. Even CIA and NSA employees are vulnerable.

Location data trackers continue to develop techniques that enable more comprehensive and invasive surveillance. Despite current attempts to regulate tracking, data brokers continue to collect and share information in ways most people do not understand and would not allow.

The Intercept report revealed that the data broker A6 uses a technique called "geofencing" to track devices at specific locations. Geofencing involves creating a virtual perimeter around a location and applying a specific treatment or ruleset to devices within the perimeter that have location-based services turned on. The vast majority of people using devices with location-based services enabled have experienced geofencing whether they know it or not. Airline apps may load boarding passes automatically based on your proximity to airports or security check points, hotel apps may load a digital room key when approaching, or specific geographically targeted ads will load when a device is in a certain place. All of these are based on tracking the device’s real-time location.

Through their use of geofencing A6 claims it was even able to identify potential CIA and NSA officials by drawing boundaries around their respective headquarters, seeing devices that visited both locations, and subsequently tracking them across the world, everywhere from the middle east all the way back to their individual homes.

This type of extensive tracking is not only a threat to national security but a threat to every individual and every organization. If data brokers can track trained security professionals in the intelligence community from their work and home locations, the average individual and employee is clearly vulnerable.

The potential for abuse is endless: for example, location trackers are selling maps of where abortion clinic visitors live, one data broker was even giving heat maps out for free

It has become trivial to tie location tracking data to an individual's home (e.g., where the phone pings most often from 11pm-8am), work, as well as other sensitive activities like health appointments, visits to financial institutions, and more.

According to a recent Vice report a tracking firm called SafeGraph was selling location data that tracked devices who visited a Planned Parenthood, where they came from and where they went. Vice also reported that another tracking firm, Placer.ai, was giving away free heat maps for Planned Parenthood visitors. In light of the recently leaked draft decision overturning Roe v Wade and indications that a few dozen states plan to ban or severely restrict abortion access, the ability of shady data brokers to track visits to abortion clinics should clearly be prohibited.

There are many examples one can imagine of how tracking a person's location could create serious privacy, security, and real world safety concerns for individuals and businesses. But as mentioned previously, and it's worth repeating, in the US it is currently totally legal for data brokers to collect and share location information tracked from your phone. Until lawmakers act, individuals and businesses must take steps to do what they can to mitigate this serious vulnerability.

What can you do to protect yourself?

Your location data is like a genie in a bottle, once its collected there's no great way to delete that information or get it back from the data brokers. While protecting against all forms of smartphone location tracking is difficult there are a few quick things you can do to better protect yourself.

Do not allow location access when apps ask permission

Unless absolutely essential for the app's functionality consider completely turning off location sharing, especially for apps you rarely use. Even if an app asks you to share location data only when the app is in use, there are recent reports of apps not honoring that limitation. The popular Tim Horton's app misled users to believe location data would only be accessed while the app was being used, but in reality the app tracked location data every minute of the day. So regardless of what an app says, it's probably good idea to give out location permissions very selectively.

To turn off location sharing for iOS devices see this Apple support page. https://support.apple.com/en-us/HT207092

To turn off location sharing for Android devices see the Google support page. https://support.google.com/accounts/answer/6179507?hl=en

Block SDKs and trackers across your entire device

Trackers embedded in websites, apps, and emails are able to correlate your location and device.

Virtual Private Networks allow users to mask their internet protocol (IP) address and encrypt device traffic. Since your IP address allows trackers to know your general location, in that sense VPNs can protect location tracking and are typically used to avoid geo-restrictions, e.g., if a Netflix user is in Europe or the US. A VPN without tracker blocking will not prevent the type of embedded and in-app location tracking that is the subject of the reports contained above.

Since 2011 Disconnect has been dedicated to helping people take control of their data and privacy by blocking unwanted tracking. Our solutions block thousands of invisible trackers including SDKs and domains associated with location trackers that are found in websites, apps, and emails. Check out our products to learn more about how we help protect individuals and employees against tracking.

Users who install VPNs on iOS for personal use or work may believe they are sending all their device traffic over that VPN, but our research (see our testing methodology below) shows that's not always the case. Apple provides APIs to ALL developers - literally every app in the App Store has access - that allow any app you install to easily and secretly bypass your VPN protection, receive the traffic directly from your device, and view your cellular IP when you're on Wi-Fi. Additionally, Apple reserves for itself the power to bypass your VPN without any notice or permission on both Wi-Fi or cellular connections.

Using these loopholes app developers are able to detect users that have an active VPN connection and then correlate a user's true cellular IP to their online activity conducted while using a VPN. This allows Apple or any developer to track VPN use to a particular IP, device, and/or person.

Why this matters

People in countries with heightened surveillance and diminished civil rights are most vulnerable to this VPN leak. Most pressing, currently in Russia people are flocking to VPNs to evade government censorship, but these Apple provided VPN workarounds could help authorities to unmask VPN users and result in severe legal consequences. Right now, it's not hard to imagine that app developers with friendly or compulsory data sharing agreements with the Russian government (i.e., most of the popular Russian-based apps) would automatically report people who use VPNs along with their cellular IPs and device fingerprints to the government authorities, who would then be able to personally identify the individuals and track their VPN activities. All of this without any notice to the user.

Additionally, malicious apps, or apps that profit from surveillance could use the Apple provided API to thwart VPN protections on Wi-Fi and secretly collect valuable personal information. In addition, apps that don't allow VPNs may use this power to secretly detect, unmask, and/or block VPN users.

Finally, Apple itself is in the position to unmask any iOS VPN user on Wi-Fi or cellular. And while you may trust Apple to protect your data from other companies, what happens if Apple gets a government request such as a subpoena, court order, warrant, or other valid legal request? Apple publishes Transparency Reports documenting government requests for data by country. The Transparency Reports for Russia include the years 2013-2020, but nothing for 2021. In 2020, for example, Apple received more than 3 government requests from Russia everyday of the year (1,123 total) for device data. But there is no indication whether the requests from Russia or any of the other countries include data Apple may have collected from bypassing VPN protections.

The important point, that is worth repeating, is that in all the examples mentioned above, the device traffic is sent to Apple or another third-party app developer without any request for permission or user notice whatsoever.

Here's how it works

Apple provides all developers with access to its Network.framework, Multipath TCP (MPTCP), and other networking APIs, which by design allow any app developer to bypass the Wi-Fi interface and route traffic directly over the cellular interface. Invoking these tools effectively allows any app developer to unmask VPN users on Wi-Fi without notice or consent. By routing device traffic over the cellular interface, app developers are able to bypass VPN protection and obtain the user's cellular IP and other device information that allows that app developer to fingerprint a particular device and/or user.

Screenshot of example app that shows the user's cellular IP being leaked when connected to a VPN

Apple also has the ability to bypass VPN protections and routinely does so, for example when Siri is invoked. Routing literally ALL device traffic through a VPN may not always be possible or advisable for certain device features and functionality, however the concern here is that there isn’t transparency or control. Apple does not appear to mention any carve outs or connections that are not-routed via the VPN in its developer documentation, especially for establishing a VPN. In addition, although Apple requires very explicit user permission to install a VPN profile, there is no mention of the issues presented here.

Does Apple know about this? Are they doing anything to address this?

Apple definitely knows about this issue. For example, Apple created the network.Framework, which specifically allows developers to route traffic over the non-default interface and force traffic from users with a Wi-Fi connection to route over the cellular interface without traveling to the VPN server. In addition, Apple provides developer documentation that clearly describes the ability to use Multipath TCP (MPTCP) in order to route traffic over the cellular interface. In addition to network.Framework and MPTCP, Apple allows developers to use Sockets to accomplish the same result, bypassing a users VPN protection by routing Wi-Fi traffic to the cellular interface.

To Apple's credit, on September 16, 2020, with the launch of iOS 14 Apple did release a new VPN property, with very limited documentation, called includeAllNetworks that stops the ability of Apple and third-party developers to exploit the cellular interface when a VPN is established. The problem with includeAllNetworks is that this API property isn’t compatible with all VPN types, causes massive breakage, and in our testing is unusable. For many VPNs, like ours, that rely on the natively supported IPSec/IKEv2 VPN protocols, when the API property is active a packet tunnel provider VPN will break any other user installed personal VPNs (even when a packet tunnel provider VPN isn't connected or isn't even active), as described further in the Apple Developer Forum here. In addition, for other VPNs utilizing the Wireguard secure network tunnel, setting includeAllNetworks in our tests has repeatedly resulted in internet connectivity failure, for example when switching between wi-fi and cellular. Often times the failure requires rebooting the entire device, which is a particularly brutal user experience. As of today's date Wireguard is aware of but has not taken advantage of the new VPN API property. There does appear to be at least one VPN provider offering IncludeAllNetworks as part of their "kill switch" feature, but none of the leading consumer and corporate VPNs that we tested have integrated includeAllNetworks.

So not only is Apple creating this issue and not providing a workable fix, but they are also failing to even warn VPN developers or users that the issue exists. While Apple may argue that the ability for Apple and other app developers to "scope" traffic (e.g., to specify whether to route traffic over Wi-Fi, cellular, or both) actually benefits users in many cases, there is no excuse for not providing VPN users with control or notice that their protections may be secretly bypassed by Apple or any random app developer. Apple could easily, for example, require every VPN user to be notified of the issues we present here. After all, Apple requires every user who proactively installs a VPN to view an iOS system dialog that warns users that "All network activity on this iPhone may be filtered or monitored when using VPN." Apple then requires the user to proactively tap Allow and then enter the device passcode to add a VPN. So why doesn't Apple give a heads up to users that their VPN protections may be subverted behind their back? For a company that sets the bar globally for privacy and transparency, they should do better and at a minimum require user notification / permission regarding these iOS VPN issues.

Here's what you can do to protect yourself

Unfortunately, because VPN developers must build on top of Apple's operating system, there's not much iOS VPN developers can do to protect users.

So for now, unfortunately, the only thing users can do to protect themselves from app developers bypassing the VPN is to turn off cellular when using a VPN on Wi-Fi. We have already updated our apps to show VPN users an Advisory that explains the issue.

It's also worth noting that even if users were able to protect themselves from the iOS vulnerability we describe here, the reality is that governments may have other means of bypassing VPN protections. That said, our hope is that Apple takes steps to mitigate these issues.

Here's how to duplicate the issues: Our testing methodology

Issue 1 description The Network.framework from Apple allows developers to bypass the Wi-Fi interface and route traffic over the cellular interface. If a VPN is connected, a connection isn’t established for the cellular interface so traffic is routed over the cellular interface and is unprotected by the VPN.

A simple app written in swift will demonstrate this issue:

1. Create new Swift app in Xcode, replace AppDelegate.swift with the following code:

//
//  AppDelegate.swift
//  Example VPN leak from Network.framework
//  Author: Patrick Jackson, https://disconnect.me
//

import UIKit  
import Network

@main
class AppDelegate: UIResponder, UIApplicationDelegate {

    var conn : NWConnection?

    func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {

        let tlsParams = NWParameters.tls
        tlsParams.preferNoProxies = true
        tlsParams.prohibitedInterfaceTypes = [NWInterface.InterfaceType.wifi] // exclude Wi-Fi for this endpoint
        let host = "ip.disconnect.app" // tls enabled endpoint for checking external IP
        conn = NWConnection(host: NWEndpoint.Host(host), port: 443, using: tlsParams)
        conn?.stateUpdateHandler        = { state in
            print( "State Update: \( state )" )
            if state == .ready{
                let method         = "GET"
                let uri            = "/" // API key included here for purposes for testing only
                let httpVersion    = "HTTP/1.1"
                let headers        = "Host: \( host )\r\n"
                let body           = ""
                // construct HTTP request to send over readied connection
                let rawHTTPRequest = "\( method ) \( uri ) \( httpVersion )\r\n\( headers )\r\n\( body )"

                self.conn?.send( content: rawHTTPRequest.data( using: .ascii ), completion: .contentProcessed( { error in
                    self.conn?.receiveMessage { data, _, completed, error in
                        // cellular data needs to be enabled
                        // receiving the response may take several seconds
                        if let data = data, let resp = String( data: data, encoding: .ascii ) {
                            print( "HTTP Response: \( resp )") // .ascii? utf8
                        } else {
                            if let error = error {
                                print(error.localizedDescription)
                            }else{
                                print( "Response: nil, completed: \( completed )" )
                            }
                        }
                    }
                }))
            }
        }
        conn?.start(queue: .main)
        return true
    }
    func application(_ application: UIApplication, configurationForConnecting connectingSceneSession: UISceneSession, options: UIScene.ConnectionOptions) -> UISceneConfiguration {
        // Called when a new scene session is being created.
        // Use this method to select a configuration to create the new scene with.
        return UISceneConfiguration(name: "Default Configuration", sessionRole: connectingSceneSession.role)
    }
}

1. Ensure VPN is connected (verify with https://ip-api.com) and cellular data is enabled.

2. Run application, wait a few seconds (up to 30 seconds if necessary).

App will output to the console in Xcode a JSON data structure that details information learned from the connecting IP (the cellular IP address). This information will include IP address, ISP, city, state, country, etc.

Result: There is no indication to the user that the 1) cellular connection is being used instead of Wi-Fi and 2) this traffic is hidden from the VPN which renders any filtering or advanced security/phishing protection provided by the VPN, useless.

{
  "as": "AS7018 AT&T Services, Inc.",
  "city": "Chicago",
  "country": "United States",
  "countryCode": "US",
  "hosting": false,
  "isp": "AT&T Services, Inc.",
  "lat": 41.8781,
  "lon": -87.6298,
  "mobile": true,
  "org": "Service Provider Corporation",
  "proxy": false,
  "query": "REDACTED",
  "region": "IL",
  "regionName": "Illinois",
  "reverse": "mobile-REDACTED.mycingular.net",
  "status": "success",
  "timezone": "America/Chicago",
  "zip": "60666"
}

Issue 2 description Developers are able to create an MPTCP connection using URLSession without using the Network.framework. See documentation here.

This requires developers to add the multipath entitlement:

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">  
<plist version="1.0">  
<dict>  
    <key>com.apple.developer.networking.multipath</key>
    <true/>
</dict>  
</plist>  

Client

//
//  AppDelegate.swift
//  Example MPTCP VPN Leak
//  Author: Patrick Jackson, https://disconnect.me
//

import UIKit

@main
class AppDelegate: UIResponder, UIApplicationDelegate {


    let config = URLSessionConfiguration.ephemeral
    var task : URLSessionDataTask?

    func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {
        // Override point for customization after application launch.
        config.multipathServiceType = URLSessionConfiguration.MultipathServiceType.interactive
        repeatFlow()


        return true
    }

    func repeatFlow() {

        let url = URL(string: "https://147.182.197.19/")

        let session = URLSession(configuration: config)
        task = session.dataTask(with: url!) { data, response, error in
            print(response)
            print(data)
            print(error?.localizedDescription)
        }

        task?.resume()
        self.delay(1){
            self.repeatFlow()
        }
    }

    func delay(_ delay: Double, closure: @escaping ()->()) {
        DispatchQueue.main.asyncAfter(
            deadline: DispatchTime.now() + Double(Int64(delay * Double(NSEC_PER_SEC))) / Double(NSEC_PER_SEC),
            execute: closure
        )
    }
}

Server

At the server (which doesn’t need to support MPTCP in order to unmask users), traffic destined for port 443 can be easily sniffed to reveal the user’s VPN and cellular IP address. For example:

root@ubuntu:~# tcpdump -n -i eth0 dst port 443  
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode  
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes  
21:14:30.851048 IP [REDACTED-VPN-IP-ADDRESS].49339 > [TEST-SERVER-IP].443: Flags [S], seq 2950275670, win 65535, options [mss 1240,nop,wscale 6,nop,nop,TS val 1936254843 ecr 0,sackOK,eol], length 0  
21:14:31.235312 IP [REDACTED-CELLULAR-IP-ADDRESS].49617 >  [TEST-SERVER-IP].443: Flags [SEW], seq 3271060219, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3304016412 ecr 0], length 0  

Issue 3 description Apple uses Multipath TCP (MPTCP) for Siri and other miscellaneous network requests. Even when a VPN is on, this MPTCP traffic will route directly from the Wi-Fi and cellular (if available) interface.

Wi-Fi testing requirements:

• Ability to capture the internet traffic of the iOS device. You could use an access point with a router that allows the network traffic to be captured.

• Wireshark to view the network captures.

Cellular testing requirements:

• Ability to capture the cellular internet traffic of the iOS device.

• Wireshark to view the network captures

Process:

Connect VPN. Verify it is indeed connected by visiting a website like https://ip-api.com.

From Wi-Fi interface, confirm that traffic is indeed being routed via the VPN tunnel.

From the cellular interface, apply a filter (mptcp) in Wireshark to only show multipath-tcp traffic.

Initiate a request to Siri by holding down the home button or power button (depending on device model).

Verify that traffic is not being routed to the VPN, but instead directly to Apple (17.0.0.0/8).

Note:

Following these steps on one interface are sufficient for demonstrating the issue. Even though Wi-Fi may be the default interface (and is still leaked as shown above), the cellular interface will show the setup sub-flow for the MPTCP connection, which also bypasses the VPN. In the above tests, both the Wi-Fi and cellular IP addresses were leaked for this Siri request.

Did you know that up to 70% of the emails you receive contain hidden trackers? These email trackers not only let senders know if you opened the email or not, but also may be able to collect your email address along with your IP and unique digital fingerprint. This data may further allow trackers to connect your email address with the other data they collect about your online activity, including the websites you visit, apps you use, purchases you make, your location history, employer, and much more.

How email tracking works

Tons of companies that send you emails, especially marketing emails and newsletters, use service providers to help them measure campaigns and analyze how you react to the emails they send. Email trackers often, but not always, are integrated into emails in the form of an invisible pixel, which is a transparent image. When you open the email, the pixel loads and sends information back to the email tracker.

What information is collected

The information that is sent back to the tracker depends somewhat on your email provider (e.g., Gmail, Outlook, etc.), or even the email client you use (e.g., Apple Mail, Outlook for Windows, etc.), but data collected and retained may include your IP, location information, a unique identifier that is tied to your real email, and other information about your device and browser that allows trackers to personally identify a particular user, or a particular device. And of course, all this data that is collected simply by opening an email not only goes to to the email tracker, but to anyone the email tracker shares or sells that data to in the future. This data could be used to help advertisers build a profile, but could also be used by employers, insurers, governments, or criminal attackers.

Why email tracking is such a risk

Making privacy matters even worse, for many of us our actual email address itself is tied to our real name (e.g., dollyparton@email.com) and where we work (e.g., markzuckerberg84@facebook.com). Also our email address may stay the same for long periods of time, which the surveillance industry takes advantage of by using our email addresses as a persistent hard identifier to build a more valuable and personally identifiable profile. This means that years or even decades of your online activity could be linked to your email address and the real you.

Our Email Tracker protection

For many years we have included email trackers in our protection data set, as some email trackers are also found in websites and apps, but today we are launching a new standalone Email Tracker category. This category is the result of a project we embarked on at the beginning of 2021. During the last year we have analyzed over 10 million emails to identify, verify, and compile the most comprehensive list of email trackers available. This new protection is now on by default in our iOS Privacy Pro, Premium, and DNS Privacy apps and will be integrated into all our apps in the near future. At Disconnect we believe everyone has the right to privacy, whether that be in your browser, apps, or inbox.

We hope you enjoy this added layer of privacy protection and please feel to reach out with any questions!

Since 2013, Disconnect has given you the ability to block and view trackers on your iOS device. But due to technical limitations on iOS, until now we were never able to show you the apps where the tracking we block originates. Building on Apple's App Privacy Report feature that was introduced in iOS 15 and was updated with the launch of iOS 15.2 last week, we are now able to provide valuable insight that allows you to connect the tracking that happens on your device to specific apps.

More transparency about data collection is always a good thing and our new tool builds on the data Apple makes available to reveal information about the app trackers on your device. There are detailed instructions on how to use our tool here, but the short version is that you simply export the App Privacy Report (JSON) file from Apple and then we provide you with the ability to display the tracker data on a website.

In line with our commitment to your privacy, we don’t track, collect, or store any data from your Report. The App Privacy Report file is not uploaded to our servers and is only processed locally on your machine. Our web application does initiate a network request to download the app details (name, icon, etc.) from our servers. None of these network requests are logged and they are only used for the functionality of displaying your Tracker Report. View our privacy policy here: https://disconnect.me/privacy

Check out the Disconnect iOS App Tracker Report now!

Disconnect CTO Patrick Jackson, who spoke to the Washington Post for this report, expects these types of cases where mobile data is de-anonymized, used, and publicly reported to become more frequent. “[Mass data surveillance] unleashes this chain that a user cannot stop because they don’t even know that [their data] was collected in the first place and they have no idea where this data actually lives, but it’s out there, and it’s for sale.”

The detailed and personal data The Pillar received allegedly was correlated to Burrill’s phone and confirmed his location at bars visited while on work trips for the Catholic Church. The Pillar reported “A mobile device correlated to Burrill emitted app data signals from the location-based hookup app Grindr on a near-daily basis during parts of 2018, 2019, and 2020 — at both his USCCB [U.S. Conference of Catholic Bishops] office and his USCCB-owned residence, as well as during USCCB meetings and events in other cities.”

This case illustrates the reality that these extremely detailed and sensitive profiles are capable of being correlated back to our real identities despite data brokers' claims that the massive amount of personal data they collect about us is "anonymized". Even without a phone number or a name, device IDs and other identifiable data points can be used to tie online activity to specific individuals, including their real name, location, employer, etc.

Our tracker protection apps block data brokers from collecting information about what you do in apps, websites, and emails. Check out our products and protect your self today.

Time to ban surveillance advertising

Surveillance-based advertising permeates the internet today, creating a number of highly problematic issues for both consumers and businesses.

On June 23, a broad coalition of consumer rights organizations, civil rights groups, NGOs, as well as academics, researchers, privacy experts, and enthusiasts – all concerned individuals – called on regulators to stop the invasive and privacy-hostile practices related to surveillance-based advertising.

In the EU, they urged regulators to consider a ban on surveillance-based advertising as a part of the Digital Services Act. In the U.S., they urged legislators to enact comprehensive privacy legislation.

We are a group of businesses who write to you today to show our support to this initiative. We represent small, medium, and large businesses who all believe – and demonstrate on a daily basis – that it is possible to run profitable companies without exploiting the privacy of individuals.

In addition to the clear privacy issues caused by surveillance-based advertising, it is also detrimental to the business landscape.

In the surveillance-based advertising model, a few actors can obtain competitive advantages by collecting data from across websites and services and dominant platform actors can abuse their positions by giving preference to their own services.

These practices seriously undermine competition and take revenue away from content creators. Anti-competitive behavior and effects serve to entrench dominant actors’ positions while complex supply chains and ineffective technologies lead to lost revenues for advertisers and publishers.

It is also difficult for consumers to distinguish between ‘good’ and ‘bad’ actors in the digital sphere, which means that legitimate actors, amongst them many small and medium-sized enterprises, are directly affected by the actions of unscrupulous companies.

This harms consumers and businesses and can undermine the cornerstones of democracy.

Although we recognize that advertising is an important source of revenue for content creators and publishers online, this does not justify the massive commercial surveillance systems set up in attempts to “show the right ad to the right people”.

Other forms of advertising technologies exist, which do not depend on spying on consumers, and alternative models can be implemented without significantly affecting revenue. On the contrary – and that we can attest to – businesses can thrive without privacy-invasive practices.

We encourage you to take a stand and ban surveillance-based advertising.

With kind regards,

Conva Ventures Inc., dba. Fathom Analytics, Jack Ellis & Paul Jarvis, Directors
DuckDuckGo, Inc., Gabriel Weinberg, Founder and CEO
Disconnect Inc., Casey Oppenheim, Co-founder and CEO
Ecosia GmbH, Christian Kroll, CEO
Fastmail Pty Ltd, Bron Gondwana, CEO
Kobler, Erik Bugge, CEO
Nextcloud GmbH, Frank Karlitschek, Founder and CEO
Mailfence, Patrick De Schutter, Co-Founder and Managing Director
Mojeek Limited, Colin Hayhurst, CEO
Proton Technologies AG, Dr. Andy Yen, CEO
Startpage & StartMail, Robert E.G. Beens, Co-Founder and CEO
Strossle International, Håkon Tillier, CEO & Rickard Lawson, CMO
Tutao GmbH, dba. Tutanota, Matthias Pfau, Co-Founder and CEO
Vivaldi Technologies, Jon von Tetzchner, CEO & Tatsuki Tomita, COO

Based on consumers demand for privacy, law makers have stepped up and passed regulations like the California Consumer Privacy Act (CCPA) and EU General Data Protection Regulation (GDPR). Unfortunately, these and other laws put too much burden on individuals to exercise their rights one website at a time. The GPC is a browser-oriented signal that makes it easy for users to automatically express their preference for privacy on every website they visit, without the need to actually read all those detailed popups or privacy policies.

Check out the GPC website to learn more about this effort and the technical specification we've been working on. Also starting today you can install the award-winning Disconnect browser extension for Firefox, Chrome, or Opera and enable the experimental GPC signal to try it out for yourself. Note, right now there are only a few websites (like The New York Times and Washington Post) that have committed to looking for and accepting the GPC signal, but our hope is that this effort will lead other sites to follow suit.

Digital fingerprinting is a method of tracking that identifies you or your particular device based on unchanging properties of your browser, device, or network, without using cookies or other data stored locally on your device. Hidden from plain site and without leaving a trace fingerprinting technology allows companies to secretly track your private online activity across many websites, apps, and your internet connected devices.

So for example, a prominent fingerprinting company might see that at 11:31pm you used your iPhone at your exact home address to visit app X, then watch video 1 four times in a row, then visit website Y and watch videos 2, 3, 4, 5, then click ad Z, and at 2:34am buy products A, B, and C. That same company might also be capable of seeing what you're watching on your SmartTV, what articles you read on your tablet while at work, and any purchases you make on your laptop wherever you may be. And of course, this same company could use your unique fingerprint to combine ALL the data they collect about you to create one big fat profile that just keeps on ingesting information that you'd prefer be private.

This privacy invasive technology has been in use for decades and Disconnect's solutions have addressed this threat since 2011. But in the last few years, data trackers have increasingly moved away from traditional cookie based tracking to embrace fingeprinting. So today we are changing up our approach to address this new challenge, introducing a new definition of fingerprinting along with two sub-categories: invasive and general fingerprinters.

Most popular apps and websites have fingerprinters integrated

Last year, we worked with the Washington Post to research the prevalence of fingerprinters that abuse browser APIs on the web and the results of our testing were surprising even to us. It turns out that more than one third of the top 500 U.S. websites used fingerprinting code that took advantage of browser APIs and were capable of individually identifying your computer or phone.

But the full picture is actually much worse because fingerprinters don't just utilize browser APIs in order to track you. In fact, most fingerprinters don't bother with APIs and live outside your browser altogether, especially on mobile where fingerprinters collect tons of information inside your apps but also inside your internet connected cameras, TVs, and other devices.

Why fingerprinting is on the rise

Data collectors are quickly adopting fingerprinting and moving away from other technologies primarily because third-party cookies are going away and technical advancements have made analysis and storage of fingerprinting data much more efficient and valuable.

You can read more about the demise of the tracking cookie here and how "the shift has the potential to drastically reshape the power dynamics of the internet and the $330 billion digital advertising industry that supports it." The short version is that as privacy concerns have become mainstream over the past decade, governments have enacted laws to protect consumers (like the EU Cookie Directive, then GDPR, then CCPA) and web browsers have made moves to limit the collection of user data, especially through the use of third-party cookies. Since at least 2015, when Disconnect first announced that our Tracker Protection lists were powering Private Browsing mode in Firefox, major browsers have increasingly taken steps to protect their users from privacy invasive trackers by default and several privacy focused browsers have emerged.

Beginning in 2017, Apple began offering tracking protections in Safari which focused almost exclusively on limiting and then blocking third-party cookies. Earlier this year Safari announced they were not only going to block third-party cookies associated with trackers, like Firefox does by referencing our list of trackers, but Apple was going to implement a blunt ban on all third-party cookies by default. Also earlier this year, Google announced that as part of their Privacy Sandbox project their Chrome browser was embarking on "A path towards making third party cookies obsolete." It's worth noting that neither of these behemoths has done much to protect users against fingerprinting and that both companies collect data about your activity in sophisticated ways across your devices without the need for third-party cookies.

Because Apple and Google are trillion-dollar monopolies (or at least oligopolies) that have massive browser market share on the platforms they control, what they say goes. So many browser based trackers (as well as the publishers and advertisers they support) have been forced to begin implementing alternative data collection technologies that don't rely on third-party cookies. More often than not, these alternative tracking methods involve some form of fingerprinting users.

How our approach to fingerprinting is changing

As we mentioned above, we've been blocking fingerprinters for nearly a decade. That's because our tracker protection blocks all connections to an entity we've identified as a tracker, whether that tracker is using fingerprinting, third-party cookies, tracking pixels, or whatever. But as our Tracker Protection lists have been integrated by various browsers the importance of properly categorizing different trackers has become increasingly important. For example, as mentioned above we partner with Mozilla Firefox and Microsoft Edge who by default block third-party cookies from companies that Disconnect has identified as trackers. In addition, Mozilla and Microsoft, unlike Apple or Google, provides default protection against companies we've identified as fingerprinting through the abuse of specific browser APIs.

When we initially created the separate fingerprinting category in our list in February of 2019, our definition of fingerprinting read: "A tracker may be classified as fingerprinting if it abuses browser or device features in unintended ways to identify and track users." We then added entities to this list that were clearly and verifiably (through code analysis) abusing certain browser APIs. When Firefox and Edge began blocking the fingerprinting companies we had identified by default, several of the blocked companies removed their fingerprinting code and requested to be removed from the fingerprinting list. During our review of these companies, we noticed that many of the companies that were not specifically abusing browser APIs had privacy policy language and marketing materials that described what we considered fingerprinting.

So, after much consideration, we have decided to change our fingerprinting definition and to split the fingerprinting category into two sub-categories: (1) general fingerprinters and (2) invasive fingerprinters. The definition of fingerprinting now reads:

• A tracker may be classified as a fingerprinter if it identifies particular users or devices based on the properties of the browser, device, network, or any other properties of the computing environment, without using client-side storage of cookies or other data.

  • We differentiate between two sub-categories of fingerprinters:
    • (1) A tracker may be classified as a general fingerprinter if it uses browser or device features or properties in unintended ways to identify and track a particular user or device.
    • (2) A tracker may be classified as an invasive fingerprinter if it uses an API to extract information about a particular user’s computing environment when the API was not designed to expose such information.

You can find this definition and the rest of our Tracker Protection policy here.

Our hope is that this new definition and the sub-categories will help clarify the types of activities we consider fingerprinting, which we view as an increasing threat to internet privacy. Starting today, Disconnect will block both general and invasive fingerprinters by default in our all our products. Additionally, at this point, our understanding is that Firefox and Edge will continue to block trackers in our invasive fingerprinting category by default.

The new categories

The initial general fingeprinting category includes thirty-three tracking domains that appear to very clearly meet our definition of general fingerprinting based on technical analysis, their privacy policy, and their own marketing material. Like all our categories, the general fingerpinting category is subject to change and we expect to add more domains soon. You can find the initial list of general fingerprinters and check out the description of and analysis of why these companies were included here.

The invasive fingerprinting category includes all the domains that were previously in our fingerprinting category and have been technically verified to meet our definition of invasive fingerprinting.

As always, our goal is to give you the power to determine your own optimum level of privacy and how your personal information is treated. Please feel free to reach out and give feedback on this change or any other topic anytime!

We have long supported the mission of Creative Commons, which is a global nonprofit organization that "enables sharing and reuse of creativity and knowledge through the provision of free legal tools." We are pleased to offer our Tracker Protection list under a Creative Commons license to encourage the reuse of our work while maintaining the ability to financially support our efforts by offering paid licenses for commercial use of our lists.

Videos that were available publicly included extremely sensitive personal information. For example, videos discovered included one-on-one therapy sessions, health information associated with names and phone numbers, financial data, elementary schools classes that exposed personal details, intimate conversations, and nudity.

The vulnerable Zoom videos were saved in the cloud without a password and were easily discovered because Zoom names every video recording in a uniform way, so that an online search would reveal the videos for anyone to download and watch. The Washington Post did not reveal the naming convention and Zoom was alerted to the issue before publishing the story.

If you use Zoom or other video call software, check out the Washington Post's guide to protecting your Zoom calls. Most importantly, if a call (video or audio) is being recorded assume that anything you do or say could be made public and act accordingly. And if you are recording a video call, rename the file and if possible password protect access to the video.

During these trying times the entire Disconnect team is hoping you stay safe and protected online and off.

We are excited to announce that beginning with Microsoft Edge version 79, Edge's tracking prevention feature will be powered by Disconnect! You can read more about this on the Microsoft Window's blog.

Disconnect is all about making privacy the default, because we know that most users never dive into their settings to switch things up. For version 79, Edge users will need to manually enable tracking prevention to protect themselves, but we're hopeful that Microsoft will soon follow the lead of other privacy focused browsers who protect their users by default.

Digital fingerprinting is a problem that Disconnect's solutions have been addressing for almost a decade. So when we had the chance to work with Washington Post technology columnist Geoffrey Fowler to research the prevalence of fingerprinting on the web we hit the ground running, motivated by the opportunity to shed some light on this dark corner in the world of data tracking. The results of our testing were surprising even to us, more than one third of the top 500 U.S. websites used fingerprinting code capable of individually identifying your computer or phone. You can read the entire article here for more details.