Hi,
just to be sure I got it right, does WP7 puts every contact on my phone to Live as soon as I add my Live account details to my phone? And there is no way preventing my phone from uploading every of my contact to a Microsoft cloud? Do I get it right, or am I missing something?
Regards,
m00h
Under People, Settings, Filter My Contacts you can choose to hide contacts from a certain account or all of them. I believe you have to have at least one selected or you can't save contacts.
Sent from my HTC Arrive using XDA Windows Phone 7 App
Filtering contacts does not stop them from being saved to Live. Contacts must have a source, be it Windows Live, Exchange, Google, etc but they can't just reside on the phone.
Entegy is (mostly) correct. However, the important point here is that contacts which are already *from* another source - such as Facebook friends or Gmail contacts - will not get copied to Windows Live. However, if you import SIM contacts, those will get synced to your primary Windows Live account (assuming you've set one up, since it's necessary for much of the phone's functionality).
Yeah, that's a good distinction to make. While contacts require a source, they won't get merged into one account (say, everything auto-copied to your Windows Live account)
GoodDayToDie said:
However, if you import SIM contacts, those will get synced to your primary Windows Live account (assuming you've set one up, since it's necessary for much of the phone's functionality).
Click to expand...
Click to collapse
That's the answer I needed, in that case, my Omnia 7 is as good as sold. That's a horrifying thing if your phone forces you to sync all the sensitive, confidential data with an american cloud. How can you people be ok with that?
Before I bought a WP7 phone, I read a lot of stuff about it, either on forums or on reviews, and not a single review mentioned that I will be forced to give my data away, that's even more horrifying.
Either way, thanks for the answers.
Regards,
m00h
Well, an awfully large number of millions of people use Gmail, Hotmail, Yahoo mail, or any of a handful of other webmail providers, many of which are hosted in America (or <other place you dislike goes here>) and all of which contain far more private info than just contacts.
For that matter, a truly stupendous number of people use Facebook, which not only stores vastly more "private" info than simply contacts, it also has somewhat poor security and a terrible privacy record. Oh, it's based in the USA too.
Next to all that, a list of contacts names and email addresses being stored in a Microsoft-controlled server that generally has quite good security and is not accessible to anybody except yourself, not even MS employees, unless those employees want to face immediate loss of their jobs, truly massive lawsuits, and quite possibly criminal charges... this is "a horrifying thing"?? I mean I don't care for this "cloud" BS either, but contact info is way, way down on the list of things I'm worried about getting out - I'm pretty sure I'd be more annoyed to lose access to my contacts than to have them leak.
You're welcome to your own opinion, of course. If you either run your own mail server or use a different mail account for each contact (so no corporation can build a contact list for you by checking their email logs), and have no information on any social networks, it's even consistent with the way you live your life. Or is it just the "American" aspect that is so uncomfortable to you? If so, I must in good conscience warn you that XDA-Developers is registered through a US company and WHOIS gives a registrant address in Arizona.
m00h said:
That's the answer I needed, in that case, my Omnia 7 is as good as sold. That's a horrifying thing if your phone forces you to sync all the sensitive, confidential data with an american cloud. How can you people be ok with that?
Before I bought a WP7 phone, I read a lot of stuff about it, either on forums or on reviews, and not a single review mentioned that I will be forced to give my data away, that's even more horrifying.
Either way, thanks for the answers.
Regards,
m00h
Click to expand...
Click to collapse
Most modern smartphones sync your contacts now......
GoodDayToDie said:
Well, an awfully large number of millions of people use Gmail, Hotmail, Yahoo mail, or any of a handful of other webmail providers, many of which are hosted in America (or <other place you dislike goes here>) and all of which contain far more private info than just contacts.
For that matter, a truly stupendous number of people use Facebook, which not only stores vastly more "private" info than simply contacts, it also has somewhat poor security and a terrible privacy record. Oh, it's based in the USA too.
Next to all that, a list of contacts names and email addresses being stored in a Microsoft-controlled server that generally has quite good security and is not accessible to anybody except yourself, not even MS employees, unless those employees want to face immediate loss of their jobs, truly massive lawsuits, and quite possibly criminal charges... this is "a horrifying thing"?? I mean I don't care for this "cloud" BS either, but contact info is way, way down on the list of things I'm worried about getting out - I'm pretty sure I'd be more annoyed to lose access to my contacts than to have them leak.
You're welcome to your own opinion, of course. If you either run your own mail server or use a different mail account for each contact (so no corporation can build a contact list for you by checking their email logs), and have no information on any social networks, it's even consistent with the way you live your life. Or is it just the "American" aspect that is so uncomfortable to you? If so, I must in good conscience warn you that XDA-Developers is registered through a US company and WHOIS gives a registrant address in Arizona.
Click to expand...
Click to collapse
Don't get me wrong, it's in no way about the USA or any other country, I'm just not comfortable with the idea, that one big corporation, in one big country is to decide for me how to store my data.
It's like Microsoft would say, that every document on my PC has to be stored on their Live cloud, and you, as a functional member of the tech-society are dependant on their OS. Even Apple is not that barefaced to force me to store my mothers cell phone number on their sync service. It's all about the choise, you know?
Btw., for those who use Android, is it the same way there? Am I forced to sync my contacts with something? I want to go safe this time
Regards,
m00h
m00h said:
Don't get me wrong, it's in no way about the USA or any other country, I'm just not comfortable with the idea, that one big corporation, in one big country is to decide for me how to store my data.
It's like Microsoft would say, that every document on my PC has to be stored on their Live cloud, and you, as a functional member of the tech-society are dependant on their OS. Even Apple is not that barefaced to force me to store my mothers cell phone number on their sync service. It's all about the choise, you know?
Btw., for those who use Android, is it the same way there? Am I forced to sync my contacts with something? I want to go safe this time
Regards,
m00h
Click to expand...
Click to collapse
android syncs your contacts with your google account, unless you turn off auto sync.
I don't see the issue though, you're just being overly paranoid now. If you have an email account I'm sure there is much more personal things in it
scoobysnacks said:
android syncs your contacts with your google account, unless you turn off auto sync.
I don't see the issue though, you're just being overly paranoid now. If you have an email account I'm sure there is much more personal things in it
Click to expand...
Click to collapse
I don't think I'm paranoid, I'm just not in common with the idea. But thanks for the answer with the Android, good to know that I can turn the auto-sync off.
Regards
Eh, all of my contacts from all of my accounts put together still constitute less private info than some single documents on my PC (tax returns come to mind, or letters to certain people). That said, so long as I can keep local copies of my docs too, I *am* generally OK with storing them on SkyDrive. If there was anything particularly sensitive I'd encrypt it first, but short of the aforementioned tax records I can't think of any such thing.
Of course, I'm still not sure how your attitude works with email. I mean, you obviously ahve an email account, or you couldn't be on this site. That account goes to a server somewhere. 99% chance that server is owned by a corporation. That corporation is possibly logging the server's Internet traffic. They're almost certainly making backups of your mailbox automatically all the time, so that if something goes wrong they can restore your mail. They have admins who can access your mailbox whenever they feel like it, with nothing stopping them except employment contracts and/or local laws.
That mailbox is a treasure trove of personal info. It hs your contacts (in the form of people who you've exchanged mail with), it has your purchase history (at least, for things bought online or shipped by freight services that send email), it probably has a list of every site that you visit which requires an email address to log in, it has the full transcriptions of any privte conversations you've had with friends or loved ones via email, it quite possibly has pictures of you and/or your family, it probably has your home address and phone number (because you sent them to somebody at least once), it even contains informtion on the hours you keep from the timestamps. If it's Gmail, they (Google) probably also have your IM conversations and possibly your calendar too.
Next to all that, you're worried about a huge corproration, one which is under constant surveillance and would be subject to immense lawsuits if it ever misused customer data, posessing a copy of your contacts list. Honestly, I'm just confused.
GoodDayToDie said:
Eh, all of my contacts from all of my accounts put together still constitute less private info than some single documents on my PC (tax returns come to mind, or letters to certain people). That said, so long as I can keep local copies of my docs too, I *am* generally OK with storing them on SkyDrive. If there was anything particularly sensitive I'd encrypt it first, but short of the aforementioned tax records I can't think of any such thing.
Of course, I'm still not sure how your attitude works with email. I mean, you obviously ahve an email account, or you couldn't be on this site. That account goes to a server somewhere. 99% chance that server is owned by a corporation. That corporation is possibly logging the server's Internet traffic. They're almost certainly making backups of your mailbox automatically all the time, so that if something goes wrong they can restore your mail. They have admins who can access your mailbox whenever they feel like it, with nothing stopping them except employment contracts and/or local laws.
That mailbox is a treasure trove of personal info. It hs your contacts (in the form of people who you've exchanged mail with), it has your purchase history (at least, for things bought online or shipped by freight services that send email), it probably has a list of every site that you visit which requires an email address to log in, it has the full transcriptions of any privte conversations you've had with friends or loved ones via email, it quite possibly has pictures of you and/or your family, it probably has your home address and phone number (because you sent them to somebody at least once), it even contains informtion on the hours you keep from the timestamps. If it's Gmail, they (Google) probably also have your IM conversations and possibly your calendar too.
Next to all that, you're worried about a huge corproration, one which is under constant surveillance and would be subject to immense lawsuits if it ever misused customer data, posessing a copy of your contacts list. Honestly, I'm just confused.
Click to expand...
Click to collapse
Yea, confused is the right word, I'm very confused about your attitude having your privat stuff somewhere, on someones server without even having a choise not to store it there.
As for the part with the mail-server, no, I host my own mail-server because I take privacy a little bit more serious, and I surely wouldn't like to be on the list of your contacts if you deal so careless with your privacy. I'm in high dudgeon because I'm not given the choise here, that's what it is all about.
If you mention that you would encrypt your documents first, in case they would include some sensitive information, then you are talking about the choise even to encypt them, or not. The choise which I as a WP7 user obviously don't have, that's the point.
Maybe I'm a little bit old-fashioned, but for me it's very frightening that everyone around seems to be OK with that.
Anyway, since my question is answered, the is no point to continue this discussion, so, thanks for the answer.
Best regards,
m00h
Time to "double wrap" the hat with tin foil...
New Forensics Tool Can Slurp a Phone’s Data via the Cloud
The police don't even need to touch your phone anymore to know how you've been using it. A new off-the-shelf forensics tool lets cops retrieve all the data they want from your iPhone by accessing its contents through iCloud.
The software, developed by ElcomSoft, lets investigators retrieve user data associated with iPhones from Apple's iCloud online backup service, reports The Register. There's a thorough descripton of how the technology works on ElcomSoft's website, but from The Register:
"iCloud backups offer a near real-time copy of information stored on iPhones including emails, call logs, text messages and website visits. iCloud backups are incremental. When set up to use the iCloud service, iPhones automatically connect to iCloud network and backup their content every time a docked device gets within reach of a Wi-Fi access point.
"'While other methods require the presence of the actual iPhone device being analyzed or at least an access to device backups this is not the case with iCloud,' ElcomSoft chief exec Vladimir Katalov explained. 'With a valid Apple ID and a password, investigators can not only retrieve backups to seized devices, but access that information in real-time while the phone is still in the hands of a suspect.'"
Of course, the solution does require access to the Apple ID and password of the person who's being snooped on and they might not be easy to obtain. But, once those details are in place, the data can be swiftly downloaded, unencrypted. Nice. [ElcomSoft via The Register]
Interesting. I suppose something like this could happen with Google eventually as well, but the only thing that I ever backup are contacts. There was a story posted recently about the FBI issuing a warrant to Google to get access to a pimp's phone because they couldn't crack his unlock pattern.
http://arstechnica.com/tech-policy/...droids-pattern-lock-serves-warrant-on-google/
Even with this, they can only get a limited amount of his data. Google only allows for syncing of Contacts, Calendar, and Gmail, so if he doesn't use it as a main source for data or have his other email linked too it they still won't gain much info. Not sure why the warrant asks for texts because last I checked even Wireless providers only keep logs of numbers texted, not the messages themselves, correct?
Anyway, while this doesn't seem an issue as it requires a warrant, as you said if someone got access to an AppleID and password for malicious purposes it's open season.
Besides the issues SplashData has with their SplashID v7 android upgrade losing many customers data, there is also a very worrying security issue which splashdata ignores = and actively censors, my messages regarding this on their FB page have been deleted and I am blocked from commenting our writing there)
Here is the issue:
The new SplashID version 7 had a cloud sync feature (30 day free trial, then for a fee). When first starting the upgraded version (which may have been installed automatically on Android if one allows auto upgrades!), one first has to again enter one's email address/username, and then the password (which is the one used to encrypt one's database containing all one's private, sensitive data!). Then the upgrade asks whether one wants to try the cloud sync feature.
Even if one declines and opts to stay with the existing Wi-Fi sync feature only(which does not need a cloud account), the upgrade goes ahead and automatically creates such a cloud account on splashdata's servers.*and it uses the same password* for this. (In fact as further part of the upgrade procedure one needs to log into those cloud servers using that password after receiving an activation link in email.
So, splashdata leaks the master password which one uses to secure one's most private data (credit card pins, login password etc) into their cloud, without telling that this will be fine, not asking permission.
There is no info whether the password is stored securely (doubt it), whether it is in ask cases transmitted securely (doubt that too) and anyhow, once this has happened one had lost control over that most important password. It's burnt.in the wild, out of one's own control
Note that changing the password on one's own copy of SplashID us a good idea after that, but any old copy of one's encrypted database that might still live on any old disk backup, cloud service (dropbox etc) or SD card somewhere, us now vulnerable.
And because splashdata in their 'wisdom' associated one's email address (and thus identity) with that password, it's easier for hackers to fund it.better companies than splashdata have lost password in the past.
It is even a very bad idea to user the same password for s cloud service as one uses for securing one's private data. Forcing this into users without permission or warning is almost criminal.
Sent from my GT-N7000 using Tapatalk 2
sejtam said:
Besides the issues SplashData has with their SplashID v7 android upgrade losing many customers data, there is also a very worrying security issue which splashdata ignores = and actively censors, my messages regarding this on their FB page have been deleted and I am blocked from commenting our writing there)
Here is the issue:
The new SplashID version 7 had a cloud sync feature (30 day free trial, then for a fee). When first starting the upgraded version (which may have been installed automatically on Android if one allows auto upgrades!), one first has to again enter one's email address/username, and then the password (which is the one used to encrypt one's database containing all one's private, sensitive data!). Then the upgrade asks whether one wants to try the cloud sync feature.
Even if one declines and opts to stay with the existing Wi-Fi sync feature only(which does not need a cloud account), the upgrade goes ahead and automatically creates such a cloud account on splashdata's servers.*and it uses the same password* for this. (In fact as further part of the upgrade procedure one needs to log into those cloud servers using that password after receiving an activation link in email.
So, splashdata leaks the master password which one uses to secure one's most private data (credit card pins, login password etc) into their cloud, without telling that this will be fine, not asking permission.
There is no info whether the password is stored securely (doubt it), whether it is in ask cases transmitted securely (doubt that too) and anyhow, once this has happened one had lost control over that most important password. It's burnt.in the wild, out of one's own control
Note that changing the password on one's own copy of SplashID us a good idea after that, but any old copy of one's encrypted database that might still live on any old disk backup, cloud service (dropbox etc) or SD card somewhere, us now vulnerable.
And because splashdata in their 'wisdom' associated one's email address (and thus identity) with that password, it's easier for hackers to fund it.better companies than splashdata have lost password in the past.
It is even a very bad idea to user the same password for s cloud service as one uses for securing one's private data. Forcing this into users without permission or warning is almost criminal.
Sent from my GT-N7000 using Tapatalk 2
Click to expand...
Click to collapse
Ouch, that sounds a bad idea. If the user doesn't want a remote account made, they should respect that. Can you give me any more details about this, I would like to contact them and request some proper response to this. While they might not be leaking the plaintext password, anything that can be "opened" with your password is a significant enough leak, as it would allow an attacker to verify they have the right password.
pulser_g2 said:
Ouch, that sounds a bad idea. If the user doesn't want a remote account made, they should respect that. Can you give me any more details about this, I would like to contact them and request some proper response to this. While they might not be leaking the plaintext password, anything that can be "opened" with your password is a significant enough leak, as it would allow an attacker to verify they have the right password.
Click to expand...
Click to collapse
Not much more that I already said. I am a long-time user of their SplashID (Mac) Desktop and Android app to store all my credit card, bank acount and yes, many systems passwords in.
The database they use is encrypted with a 'master password' which one has to enter on ones' Android (or iPhone, etc) or Desktop everytime to
unlock and decrypt (in memory), so that one access the data.
The same password is used on both the mobile and desktop of course.
A few days ago, an upgrade to SplashID v7 was made available on the Google Play store. I don't allow 'automatic' updates (though I am sure a lot of folks do!), but this time I also did not really check what the upgrade offered, and clicked 'UPDGRADE ALL' when it was offered along with a nunber of other upgrades. So it got installed.
When i subsequently opened SplashID again, it told me about all the shiny new features (cloud sync etc) and as normal asked me for my password (it also asked for my email address. I though that this was for them to check my purchase/license ans what features woudl be enabled)..
I thought that it would then show me my data. But wrong. Instead it offered me a selection whether I want to use the new 'cloud sync' feature (30 day free trial, later for $$), or stay with the normal 'wifi sync'.
I opeted for the latter (because I don't trust having my data sent to the cloud).
Anyway, the next thing I get is a message: (paraphrasing) "we have created your cloud account, you will get an email and will have to verify your email). Sure enough, I get an email:
Thank you for signing up for SplashID Safe Personal Edition!
To activate your account, please verify your email address by clicking the link below: Verify Email
Then check your email for our SplashID Safe Welcome message.{/QUOTE]
The link goes to: https://www.splashid.com/personal/webclient/login.php
I had to again ther enter my email address, and *the same password* that I entered before (which I thought would be for my private data-store).
Yes, that same password was used to create my account on their cloud server, even though I opted for the Wifi Sync *only* and never
asked for a cloud-sync.
Nor did the app tell me that the same password would be used to secure that aco****.
The issues with this are self-evident:
a) my most secure password, the one used to secure my data on my mobile and on my desktop is now 'leaked' to their cloud account
b) I have *no* idea how secuerly that password was transferred (in clear, encrypted, just a hash), nor how securely it is stored
c) it clearly is linked to my cloud-account on their website, so
- someone somehow learning that password could 'verify' it by accessing that account
- if someone hacked their system and accessed their database, that link would be apparent to them
d) I have nost *all control* over securing that password myself. It is 'burnt', 'in the wild'
e) Any pass backups of my secure SplashID database that may live on SD cards of mine, on backup disks, which may have
been copied to the cloud (dropbox, others) are now vulnerable. It is no use for me to change this password here now, as
old copies that may still exist somewhere are still encrypted with this password (and I cannot change them back).
Yes, I am trying to limit exposure for that password data file as much as possible, but eg Titatium Backup may have at some point in teh past backed it up and copied a backup to the cloud (yes, that is also encrypted, but once that featire failed).
More that that, of course users who are not as security conscious may have opeted for 'could sync'.
While I have not tried this feature myself, it sounds to me like thsi does copy the teh data to SplashID's cloud and
there secures it too only with that one single password.
So many users wh may not have thought all this out may have opted for the 'CloudSync' trial, and not only have their
password 'leaked'/'burnt' now, but also have all their data in the cloud, again secured only with a password that is no longer in their sole possession.
In fact, any secure, trustworthy system would have
a) been *very* upfront about what they are going to do with the password and the cloud account
b) used a separate password to secure the cloud account
c) only stored my encrypted copy of the database in their cloud, without *them* having the password for it
d) done any syncing on the client (ie, transfer the complerte encrypted password to the mobile or desktop where the comparisonupdates would happen) and then copied back again a secured file, that was encrypted on the mobile).
Click to expand...
Click to collapse
More discussion on SplashID's own site: http://forum.splashdata.com/showthr...ically-send-in-background-to-splash-id-server
I was recently admitted to a company, and as an ease of accessing my e-mails and work schedule, the android "work profile" was made available so that I could have access to company information (such as e-mails, calendar, information and others) without having to receive a corporate cell phone.
However, my biggest concern is with the organization's access to my data. My organization that created the work profile, can have access to my browsing history, data on the device (such as photos, application files, etc.), time I spend using my cell phone, contacts, call logs, and other data personal profile?
I have already visited the google instructions page, but I was still unsure because my organization installed some network certificates and the warning "Your organization can monitor network traffic ..."
Another question:
If I leave a work profile app open in the background, and use my personal profile at the same time, can my organization have access to network traffic and consequently my personal information?
All questions, however redundant, are intended to clarify the details of the organization's access to my personal information
From now on, I am immensely grateful for the help and time you spent reading my questions.
You are holding a phone in your hands for which an organization has concluded a data plan contract and is paying for it. They therefore will have a legitimate interest in the network traffic on this device, unless it is a contract for unlimted bandwidth. Network traffic is triggered by apps / services , which can actually be read out: they simply have to install a HTTP/S proxy what is intercepting the HTTP/S traffic on any app housed on the phone.
jwoegerbauer said:
You are holding a phone in your hands for which an organization has concluded a data plan contract and is paying for it. They therefore will have a legitimate interest in the network traffic on this device, unless it is a contract for unlimted bandwidth. Network traffic is triggered by apps / services , which can actually be read out: they simply have to install a HTTP/S proxy what is intercepting the HTTP/S traffic on any app housed on the phone.
Click to expand...
Click to collapse
The phone is mine, and there is no plan
of internet hired by the company.
It's my personal cell phone, and for me to get
view emails and talk to people from
within the organization, I had to enable
the "work profile".
So I had my personal and work profile
on my personal device.
My question is: my company can see
my personal files and my online activity
in the "PERSONAL PROFILE"?
Fred964 said:
The phone is mine, and there is no plan
of internet hired by the company.
It's my personal cell phone, and for me to get
view emails and talk to people from
within the organization, I had to enable
the "work profile".
So I had my personal and work profile
on my personal device.
My question is: my company can see
my personal files and my online activity
in the "PERSONAL PROFILE"?
Click to expand...
Click to collapse
I created a second user on my phone named "Company".
If I do this it asks me if I wan't to turn on phone calls and SMS and then warns that
Call and SMS history will be shared with this user.
Click to expand...
Click to collapse
That makes sense, since I (as the owner) can decide whether or not other users of my phone can access that data.
I tried to access owners files via filemanager from "Company" account. I couldn't see anything.
I tried the same but via adb using a root shell -> I had full access to owners files.
Owner has a VPN active. I tried to access that VPN from within "Company". Didn't work.
Tried to access apps from within "Company" -> no luck.
Checked settings -> some are gone, some aren't. E.g. I can see my paired devices (paired from owner) when I'm in "Company" account.
Soo, to answer your question:
Fred964 said:
My organization that created the work profile, can have access to my browsing history, data on the device (such as photos, application files, etc.), time I spend using my cell phone, contacts, call logs, and other data personal profile?
I have already visited the google instructions page, but I was still unsure because my organization installed some network certificates and the warning "Your organization can monitor network traffic ..."
Click to expand...
Click to collapse
Access to browsing history, data, contacts? No.
Time spend? I don't know but in battery usage settings I can see how much battery has been used by the owner account.
Call logs? Yes, If you accepted that.
Your language? Yes.
About certificates: I don't know excactly what they do (I figured if you turn them off your device cannot connect to the internet anymore if that certificate is needed for that connection attempt) but you can go to Security -> Encryption & credentials -> Trusted credentials and turn them off while your in your personal account.
However: One questions remains: Does the profile your company created somehow differ from the one you can create manually via settings? I don't think so, so above things should be valid.
If that's an option you could also ask your company directly (even though I can understand if you might not want to trust them).