I have a Samsung Gear S3 watch that tracks my sleep, probably in much the same way as Fitbit and many other wearable devices. It lets me know how long I was sleeping restlessly, lightly and motionlessly. It gives me total time asleep and an efficiency rating. I have no idea how it decides these categories but in general, it seems to match my perception of whether or not I had a good sleep. Higher efficiency numbers seem to correlate to a better night’s sleep. This data is between me and my watch and my phone where the history lives. Barring malware, this information goes no further. I typed that sentence and then decided to check my phone. While I have no apps installed that share my health data, it turns out my data does go to Samsung servers.
Thinking about that, I wound up going down an internet rabbit hole trying to find out what data they had about me. Unfortunately the trip produced no results. So I assume that whatever data I see in the app, they have. Their website assures me that this is okay because as they say:
So I decided to track down Samsung Knox, if possible and see what it was/is. Knox is supposed to be an enterprise scale security solution. It is supposed to let you partition work and personal data on your phone and is/was available from vendors selling Samsung phones. I use ‘is/was’ because the status of Knox seems to be rather fluid. Back in 2014, a researcher blogged about some deficiencies in Knox Personal, which was then replaced by My Knox. In 2017 My Knox was discontinued and Secure Folder became the chosen security method for Samsung devices running Android Nougat 7.0 or higher.
Secure folder has some nice features (taken from this article):
My Galaxy S8+ can use this app but it has to be added manually. So that is good - my data and apps can be set up so it is very secure, ON MY PHONE. What about Samsung’s servers? And why should I (and by inference, you) care about your data on someone’s servers?
This article talks about two CNET.com folks who asked some security experts to look at the dark web and see if any of their personal information could be found. The results?
“Detailed information about Graham was included in a WikiLeaks-related "fullz" dump, a data breach that can include financial information like Social Security numbers, credit card numbers, date of birth and mailing addresses. Fortunately, most of Graham's information was related to a prior address or no longer relevant. Still, his information, along with the details of several thousand additional users, was for sale at the cut-rate price of $69.”
“My [the article’s author] exposure was slightly greater. Terbium found my name, email address and other personal details that were associated with my current phone number on a fraud site called Black Stuff. By plugging some of the information into the dark web site Torch, I was able to uncover additional details, including older geographic coordinates.”
That information came from some server somewhere. Possibly some apps the authors used or some data that was entrusted to someone for some reason. Note the last part of the second paragraph “geographic coordinates”. That means your location. In this instance they were older and presumably not meaningful, but what about some other breach? Could someone be selling your current whereabouts? This can be a serious issue in cases of spousal abuse or stalking or high profile people subject to kidnapping.
So my watch knows where I go. My phone knows where I go. My bed knows how and when I sleep and I need to trust a lot of other people to keep all that information secret. I don’t know about you, but that does not make me feel all warm and fuzzy about keeping what I do between me and my devices. It takes a lot of effort to set up what little control we have over our data. Keep in mind that whenever data is collected, by definition it is stored somewhere. The bad guys are out to get that data and sell it. We all need to be very careful about what kind of data we allow to be collected and with whom we share it. These days, data breaches are a fact of life and it is truly a matter of when not if your data will be exposed.