Marco Polo Video Walkie Talkie and Privacy

 Recent I got an invitation to install an app for my phone from a person in my contact list that I rarely interact with. The app sent this message “Hey get on this so we can chat marcopolo70.me/[omitted]”

I was hesitant to install the app because I don’t really like video chat. I decided to check it out the next day anyways. When I went to install it I looked at the information the app wanted access which included SMS,  contact list, photos and SD card.

Being more conservative I decided to not install it. I didn’t want an app that could send texts and read my contact list. After deciding to ignore the app. I looked at some reviews  and saw that once installed, the app sends messages just like the one I received to a random set of contacts.

That makes it viral because it can replicate by sending it to others who can expand the installed base. By using social engineering it is able spread itself exponentially without needing to take advantage of any technological flaws to spread automatically. It effectively works like a digital chain letter without the participants being aware of that.

However there is another pernicious effect of the app which is that the link it sent me was personalized and pointed to a web page.  This let the owners if the app to verify my phone number as a valid cell number without my permission  or ability to evaluate the privacy policy or review the qualities of the app. This information is really valuable and can be sold for legal (our illegal) activities. In addition the owner learns the model of phone,  version of OS and other technical information that allows access to any real security flaws (known or day zero) of the victim’s phone.

The domain contact for marcopolo70.com is “BORTNIK BORTNIK” associated with a business “EVERY1X1” It’s has been registered for only 26 days. The remainder of the domain information including full contact information for the registrant is available at http://servicehostnet.com/domain/marcopolo70.com#reg-metadata The domain marcopolo70.me is harder to get information about the registration so I’m not sure the exact details but it’s obviously linked to the same organization.

It’s pretty clear that these violate the domain registrar’s enom.com and the Montenrgro (.me) terms of service but I haven’t heard if either of then have taken action. (But they haven’t had much time to react either.)

From a fair information practices point of view it blows then out of the water. There is no notice or awareness of the owners practices,  no consent or choice,  no access or participation and no security or integrity of their handling of the information. In fact there is the exact opposite of all of them.

As far as the app and website violating US or EU laws, that’s probably easy to determine but I’m not sure the procedure of reporting that at the moment. I won’t have access to a desktop computer for a few days.

Edit: every1x1 also owns marcopolo54.org and marcopolo66.org and apparently every other marcopoloXX