The Failure to Frame Covid-19 Mobility Data

(Photo by Gabriel Meinert on Unsplash)

For the past year, the Toronto Star has repeatedly run articles that take mobility data from mobile device advertisers, to then assess the extent to which Torontonians are moving too much. Reporting has routinely shown how people are moving more or less frequently, with articles often suggesting that people are moving too much when they’re supposed to be staying put.

The problem? The ways in which ‘too much’ is assessed runs contrary to public health advice and lacks sufficient nuance to inform the public. In the most recent reporting, we find that:

Between Jan. 18 and Feb. 28, average mobility across Ontario increased from 58 per cent to 65 per cent, according to the marketing firm Environics Analytics. Environics defines mobility as a percentage of residents 15 or older who travelled 500 metres or more beyond their home postal code.

To be clear: in Ontario the provincial and local public health leaders have strongly stated that people should get outside and exercise. That can involve walking or other outdoor activities. Those activities are not supposed to be restricted to 500 metres from your home, which was advice that was largely provided in more restrictive lockdowns in European countries. And we know that mobility data is often higher in areas with higher percentages of BIPOC residents because they tend to have lower-paying jobs and must travel further to reach their places of employment.

As has become the norm, the fact that people have moved around more frequently as (admittedly ineffective) restrictions have been raised, and that people are ‘region hopping’ by going from more restricted zones to less restricted ones, is being tightly associated with personal or individual failures. From a quoted expert, we find that:

“It shows that once things start to open, people just seem to do whatever, and that’s a recipe for disaster.”

I would suggest that what we are seeing is a pent up, pretty normal, human response: the provincial government has behaved erratically and you have some people racing around to get stuff done before returning to another (ineffective) set of restrictions, and a related set of people who believe that if the government is letting them move around then things must be comparatively safer. To put it another way, in the former case you have people behaving rationally (if, in some eyes, selfishly) whereas in the latter you have a failure by government to solve a collective action problem by downloading responsibility to individuals. In both cases you are seeing an uptick in behaviour which is suggestive that they believe it’s safer to do things, now, than weren’t before when the government assumed some responsibility and signalled that moving was less safe and actively discouraged it by keeping businesses and other ‘fun’ things shut down.

Throughout the pandemic response in Ontario, what has been evident is that the provincial government simply cannot develop and implement effective policies to mitigate the spread of the pandemic. The result of muddling through things has been that the public, and especially small business, has suffered extraordinarily whilst the gains have been meagre. The lack of paid sick leave, as an example, has seriously stymied the ability of lower-income workers to actually keep themselves apart from others while they wait for diagnoses and, if positive, recover from their infections.

To be fair, the Toronto Star and other outlets have covered paid sick leave issues, along with lots of other failures by the provincial government in its handling of the pandemic. And there is certainly some obligation on individuals to best adhere to public health advice. But we’ve long known these are collective action problems: there is a need to move beyond downloading responsibility to individuals and for governments to behave effectively, coherently, and accountably throughout major crises. The provincial government has failed, and continues to fail, on every one of these measures to the effect that individuals are responding to the past, present, and expected future actions of the government: more unpredictability and more restrictions on their daily lives as a result of government ineptitude.

Whereas the journalists could have cast what Ontarians are doing as a semi-natural response to the aforementioned government failings, instead those individuals are being castigated. We shouldn’t be blaming the victims of the pandemic, but I guess that’s what happens when assessing mobility data.


Hackers and Law Enforcement Could Hijack Wi-Fi Connections to Track Cellphones

From The Intercept:

But if the operator is O’Hanlon and not Verizon — that identity is compromised. “The IMSI is revealed during this interchange, during the early stages of the conversation. It’s not encrypted,” he says.

This type of activity is called passive monitoring, because it doesn’t require a specific active attack or malware. It only works in some cases, however.

O’Hanlon also developed a couple active attacks that would get the job done, one involving masquerading as the operator’s endpoint where the Wi-Fi call is being directed, and another using a man-in-the-middle attack to intercept it.

Apple is the only company that has taken steps to mitigate the privacy and security risk, he says — they added additional security protocols when he brought up the issue over the summer. It was addressed in iOS 10, though there are still ways to get around the protections. But the problem is less with the companies and more with the way the connections were set up in the first place.

Yet another time that Apple has dedicated engineering resources to better protect their customers whereas their major competitor has declined to do so. And this wasn’t even an Apple or Google problem, per se, but a protocol level issue.


At its core, respecting the user means that, when designing or deploying an information system, the individual’s privacy rights and interests are accommodated right from the outset. User-centricity means putting the interests, needs, and expectations of people first, not those of the organization or its staff. This is key to delivering the next generation of retail experience because empowering people to play active roles in the management of their personal data helps to mitigate abuses and misuses. To this end, Aislelabs provides an opt out site that allows individuals to choose not to have their retail traffic data included in any anonymous analytics.

It’s incredible that any company – let alone a Canadian Privacy Commissioner – would claim that an opt-out mechanism for hidden and secretive tracking technologies (i.e. monitoring your mobile devices as you walk through the world so retailers can better sell you things) constitutes “putting the interests, needs, and expectations of people first, not those of the organization or its staff.” For such an assertion to be valid the ‘people’ should be given the opportunity to opt-in, not out, of a surveillance system that few will know about and fewer will understand. There are vast bodies of academic and industry literatures which show opt-out mechanisms generally do not work; they’re not effectively centralized and they add considerable levels of friction that hinder consumers’ abilities to express their actual interests. And that’s just fine for many retailers and analytics companies because they’re concerned with turning people into walking piggy banks, not with thinking of individuals as deserving any semblance of a reasonable expectation of privacy.

The Painful Process of Updating Android

Android fragmentation is a very real problem; not only does it hinder software developers’ abilities to build and sell apps but, also, raises security issues. In a recent report from Open Signal, we learn that 34.1% of Android users are using the 2.3.3–2.3.7 version of Android, whereas just 37.9% of users using 4.x versions of the operating system, most of whom are themselves using a years-old version of Android. In effect, an incredibly large number of Android users are using very outdated versions of their mobile phone’s operating systems.

It’s easy to blame this versioning problem on the carriers. It’s even easier to blame the issue on the manufacturers. And both parties deserve blame. But perhaps not just for the reasons that they’re (rightly!) often crucified for: I want to suggest that the prevalence of 2.3.x devices in consumers’ hands might have as much to do with consumers not knowing how to update their devices, as it does with updates simply not being provided by carriers and manufacturers in the first place.

Earlier this month I spent some time with ‘normal’ gadget users: my family. One family member had a Samsung Galaxy S2…which was still using version 2.x of the Android operating system. Since February 2013, an operating system update has been available for the phone that would bring it up to Android version 4.1.2, but my family member neither knew or cared that it was available.

They didn’t know about the update because they had received no explicit notice that an update was available, or at least didn’t recall being notified. To be clear, they hadn’t updated the phone even once since purchasing the device about two years ago, and there have been a series of updates to the operating system since purchase time.

The family member also didn’t care about there being an update, because they only used the phone for basic functions (e.g. texting, voice calls, the odd game, social networking). They’re not a gadget monkey and so didn’t know about any of the new functions incorporated into the updated Android operating system. And, while they appreciate some of the new functionality (e.g. Google Now) they wouldn’t have updated the device unless I had been there.

A key reason for having not updated their phone was the absolute non-clarity in how they were supposed to engage in this task: special software had to be downloaded from Samsung to be installed on their computer,[1] and then wouldn’t run because the phone’s battery had possess at least a 50% charge,[2] and then it took about 3 hours because the phone couldn’t be updated to the most recent version of Android in one fell swoop. Oh, and there were a series of times when it wasn’t clear that the phone was even updating because the update notices were so challenging to understand that they could have been written in cipher-text.

Regardless of whether it was Rogers’, Samsung’s, Google’s, or the tooth fairy’s fault, it was incredibly painful to update the Android device. Painful to the point that there’s no reason why most people would know about the update process, and little reason for non-devoted Android users to bother with the hassle of updating if they knew what a pain in the ass it was going to be.

The current state of the Android OS ecosystem is depressing from a security perspective. But in addition to manufacturers and carriers often simply not providing updates, there is a further problem that Android’s OS update mechanisms are incredibly painful to use. Only after the significant security SNAFUs of Windows XP did Microsoft really begin to care about desktop OS security, and Google presently has a decent update mechanism for their own line of Nexus devices. What, exactly, is it going to take for mobile phone manufacturers (e.g. Samsung, HTC) and mobile phone carriers (e.g. Rogers, TELUS) to get their acts together and aggressively start pushing out updates to their subscribers? When are these parties going to ‘get’ that they have a long-term duties and commitments to protect their subscribers and consumers?[3]

  1. In theory there is an over the air update system that should have facilitated a system update in a relatively painless way. Unfortunately, that system didn’t work at all and so Samsung’s software had to be used to receive the updates.  ↩
  2. Really, this made no sense. To update the device it had to be plugged into a computer; why, then, did the phone (which was charging because it was plugged into the computer) need to have a 50%+ charge?  ↩
  3. I actually have a few ideas on this that will, hopefully, start coming to fruition in the coming months, but I’m open to suggestions from the community.  ↩

Why No Big Wireless Carriers Protect Journalist Phone Records

Via HuffPo:

I love just how direct Chris is these days when speaking with the press about the telcos and their utterly abhorrent practices.


The new Home app/UX/quasi-OS is deeply integrated into the Android environment. It takes an effort to shut it down, because Home’s whole premise is to be always on and be the dashboard to your social world. It wants to be the start button for apps that are on your Android device, which in turn will give Facebook a deep insight on what is popular. And of course, it can build an app that mimics the functionality of that popular, fast-growing mobile app. I have seen it done before, both on other platforms and on Facebook.

But there is a bigger worry. The phone’s GPS can send constant information back to the Facebook servers, telling it your whereabouts at any time.


And most importantly it is Facebook, a company that is known to have played loose-and-easy with consumer privacy and data since its very inception, asking for forgiveness whenever we caught them with its hand in the cookie jar. I don’t think we can be that forgiving or reactive with Facebook on mobile.


The traditionally advocated uses for NFC have been to replace RFID chips in travel cards, such as the Oyster card in the UK, and RFID chips in credit cards, such as MasterCard’s PayPass.

The problem with these replacements is a simple one, however. Smartphone batteries run out. They do so with alarming regularity, and they do so at inopportune moments. I don’t care what phone you say you have, and I don’t care if you say it doesn’t happen to you, because it does. You end up staying out late, or you leave your charger at home by accident, or you just plain use the phone too much during the day, and then when you need the phone to work, it doesn’t because it’s out of juice.

The phone running out of power is bad enough when it means you don’t have maps and directions. That’s annoying. But even worse is the battery going flat when you need the phone for mass transit or paying for stuff.

And yet that’s precisely the value proposition that NFC offers: go out for a night on the town and get stranded with no money, no subway ride home. The only way to be safe is to take your credit card and travel card with you anyway, and if you’re doing that? Well you don’t exactly need NFC then, do you?

* Peter Bright, “Mobile World Congress is Mean Girls, and NFC isn’t going to happen”

Attention shoppers: Retailers can now track you across the mall

While the technology that the IT World article discusses isn’t terribly novel – I was given a paper conducted by grad students on this topic a few years ago, and they had a working prototype of similar systems – I find it incredibly worrying that ambient information that smartphones expel is being used for purposes in excess of why the information is transmitted in the first place. We don’t live in a (Western) world where lacking a cell phone is common; for many people a mobile phone is critical to their business or livelihood. Indeed, when you go to other areas of the world where mobile penetration is even higher because of exorbitant costs associated with laying down fibre, mobiles are even more important on a daily basis.

As such, and any suggestion like “if you don’t want to be tracked, don’t own a phone” misses the point around privacy concerns related to mobile phone tracking. In effect, it shouldn’t be up to the individual to unilaterally defend themselves from further expansions of private surveillance capabilities. Instead, those capabilities should be limited by law, by regulation, and by a minimalistic sense of ethics. Tracking where people are walking, and giving them an option to opt-out of tracking by visiting a website they’ve never heard of and digging into its depths is not a sufficient way to ‘empower’ individuals.


What Windows Phone Needs

Tumblr user nugnug provides an excellent list of the core “what’s missing” in Windows Phone right now and that will continue being absent after the 7.8 update:

  • rotation lock – I surf the net when I’m lying down. Everyone does. This is such an important feature and yet, where the hell is it?
  • screen capture – I can’t take screenshots on my phone! What is this!? How can I blackmail people and post the stupid things they say on Facebook?
  • customized sounds for messaging, etc. – We can customize our ringtones, so why not the rest?
  • notification center – This ain’t happening. I already know this cause they didn’t have time to make it. Lame.
  • separate volume controls for phone sounds and media – I want to listen to music at a really low volume but that means I won’t be able to hear my phone ring. A dilemma that can be easily rectified.
  • the forward button and “find on page” function in IE – there’s a java fix someone else kindly made, but there shouldn’t be a need. It’s a basic function that should be included in all internet browsers.
  • Wifi turns off when in sleep mode – the biggest reason why my whatsapp messages arrive hours later is because my phone, which relies on only Wifi when I’m at home, turns off Wifi when it goes to sleep. Ugh.
  • multi selection – let me delete multiple photos on my phone at a time. PLZZ.
  • editing the dictionary – there are some words I made up, I would like to delete please.
  • improvements in the calendar – by far the most used section of my phone, it holds all my schedules and Facebook events and works seamlessly. So why not build on it? Include a weekly view, allow me to change colours on some of my personal entries.
  • automatic sleep mode – not too fussy, but this would be really cool. If I set a time e.g. from 11pm to 8am, my phone will sleep between those hours and I won’t get any notifications between those times.
  • closing apps from the multitasking view – not too important

I have to admit that some of the items aren’t top of mind for me: I don’t really care about the sleep mode, don’t see the point of closing apps from the multitasking view, and am not interested in bluetooth sharing. That said, every other suggestion is much, much needed.

I would also add to the list that scrolling in the 7.8 update needs to change; in the older version 1 Windows Phones scrolling would accelerate the more your scrolled up or down, whereas the current generation of 7.5 phones feature a static scrolling rate. This speed simply feels slower than earlier – and less capable – hardware and software iterations of Windows Phone.