Carrier IQ Drama Continues 244
alphadogg writes "A Cornell University professor is calling the controversial Carrier IQ smartphone software revelations a privacy disaster. 'This is my worst nightmare,' says Stephen Wicker, a professor of electrical and computer engineering at Cornell. 'As a professor who studies electronic security, this is everything that I have been working against for the last 10 years. It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention.'" Read on for a grab-bag of other news about the ongoing story of Carrier IQ's spyware.
Federal intervention is already on the menu; new submitter mitcheli writes "Following the video from Trevor Eckhart on Youtube after the filing of the Cease and Desist letter and subsequent reply by the EFF and apology letter (as reported on Slashdot), Senator Franken of the Subcommittee on Privacy Technology and the Law asks some rather pointed questions." Franken has more reason, apparently, to look into this than might legislators in other countries; an anonymous reader submits news that Cambridge researchers have found the software to be confined to (or at least only confirmed in) American customers' phones. From their report: "We performed an analysis on our dataset of 5572 Android smartphones that volunteers from all over the world helped us create. From those 5572 devices, only 21 were found to be running the software, all of them in the US and Puerto Rico. The affected carriers we observed were AT&T, Boost Mobile and Sprint.
We found no evidence of the Carrier IQ software running on Android devices in any other country."
Another anonymous reader suggests that "Apart from anything else, the fundamental mistake that Carrier IQ made was attempting to silence a developer using a heavy-handed legal threat. Certainly this was the tipping point in terms of bring the whole incident to the public's attention."
Like apparently begets like; reader adeelarshad82 writes "Not surprisingly, the Carrier IQ controversy has resulted in some legal action. Class-action lawsuits have been filed in California and Missouri that accuse Carrier IQ, as well as Samsung and HTC, of violating federal wiretap laws. The California case was filed on behalf of four smartphone users with HTC and Samsung devices and accuses the companies of violating the Federal Wiretap Act, which prohibits the unauthorized interception or illegal use of electronic communications, and California's Unfair Business Practice Act."
Finally, GMGruman writes with the cautionary note that Carrier IQ and Facebook pose "the least of your privacy threats": "[S]o far these forms of monitoring anonymize the data, so an individual's actual privacy is not invaded. And while people fret over these potential invasions, a more pernicious privacy invasion is under way, one that monitors actual individuals and then uses that information to try to direct their behavior. For example, car insurers give monitoring boxes to customers to track their driving behavior and offer a discount if it is 'good.' Of course, the flip side is higher rates or no coverage if the black box decides you are "bad." And, as this blog post points out, this is just one of many such 'Big Brother corporation' efforts out there that give significant power to insurers and others who have a history of abusing personal information, such as for redlining and coverage denial."
Analytics for Mobiles (Score:3, Interesting)
And after all, Carrier IQ was just Google Analytics to mobiles. I can just hope that people start the same kind of uproar once they realize how much Google is spying them. If it's not allowed on mobiles, I don't see why it should be allowed on our computers and internet. Maybe there's still some hope in humankind.
questions (Score:5, Interesting)
Very good question from the senator:
Does Carrier IQ believe that its actions comply with the Computer Fraud and Abuse Act (18 U.S.C. Â 1030)? Why?
That's the kind of question you don't want to be asked. People don't ask that way if they don't already have an opinion. Basically, he wants to see them dig their own grave, and enjoy it.
That's good news. Let's see if they spring the lobby machine into overdrive and try to get the issue "lost" in sub-comittees and extended deadlines.
Re:Analytics for Mobiles (Score:3, Interesting)
Re:Should have got a blackberry... (Score:3, Interesting)
I know that that statement makes me fully confident... "CIQ is not installed on Blackberry smartphones." is short, punchy, and sounds nice. Who wants to guess why their spokesweasel went with the above, instead?
Re:Should have got a blackberry... (Score:5, Interesting)
True, but you can install any app you want on a BlackBerry, including ones that allow users to use their own keys. You can even get BES for free and run your own mailserver with your own keys. I realize RIM has fallen behind in many areas, but I have to say I am quite disappointed that practically none of the major tech blogs has discussed the fact that Carrier IQ is not only not installed on BlackBerry devices, but it is a violation of RIM agreements for a carrier to install this app on a phone. From RIM support forum: [blackberry.com]
Re:Analytics for Mobiles (Score:5, Interesting)
Something that hasn't been brought up is: Who is paying for transmitting the data from your handset to CarrierIQ?
Re:Analytics for Mobiles (Score:4, Interesting)
the vanilla Android devices (Nexus line) don't ship with the CarrierIQ software, which means that either the handset manufacturers or, much more likely given the US-centric focus, the carriers are responsible for installing it.
...Which is a very good point. Google gives not only end users but also manufacturers and carriers relatively free reign over Android phones. Apple retains much more control over the iPhone.
While it's easy to see how Apple's strategy can hurt power users, Google's strategy can hurt users also.
Between iOS and Android, you're just trading one bucket of problems for another. Siri will find you a dentist if you tell it you broke a tooth and point you to the nearest escort agency if you're looking for one, but it won't help you if you need to renew your birth control prescription refilled. If you tell it you've been raped, it blithely replies, "Really!"
Apple and Wolfram Alpha can say what they like about the service's beta status; the likeliest reason for this is that they didn't want to touch one aspect of societal behaviour because it might upset parents and affect sales to teens.
Google errs on the other side, empowering handset providers, allowing them to indulge their baser instincts when it comes to how they view customers on their networks. For telcos, the customer is the commodity.
In both cases, corporate entities feel entitled to decide what we are allowed to know about them and what they are allowed to know about us. The contrast between the two couldn't be stronger.
In fairness, this is a common human failing. When it's my information at stake, we call it privacy. When it's someone else's, we call it secrecy [imagicity.com].
The only way to square this circle is to remove the dichotomy altogether. Paradoxically, the only way we can be sure that others aren't abusing our private data is through transparency, which requires less, not more, privacy. In the end, the best we can hope for is a kind of neo-Victorianism, in which we are more willing to accept polite behaviour at face value and overlook all but the more egregious failings. Ultimately, we will have to learn to accept that we are all no better than we should be.
I have no faith whatsoever that American society will be able to accomplish this. The Protestant ethic of probity and respect has long since been extinguished in favour of a mix of fundamentalist, moralistic witch-hunts and ugly prurience.
Re:Software freedom is the solution. (Score:3, Interesting)
Access to source isn't necessarily a red herring, although you are right the bigger issue is trust. But source opens up markets for trust.
If you/someone you trust had access to the source of all the software on your phone/device you could use trusted services that compare your phone's software (binaries) to a trusted compile. (Trusted binaries could be provided by proprietary software creators, but I'd rather not trust the software creators and have it independently compiled by a company whose business is security/trust.) Transparency and source are the first steps towards building a functional trust market where you have real choices of businesses that offer services that increase the trust you have of your devices. Extending trust to your network is certainly problematic, but I would hope eventually network providers would have their networks independently audited by security/trust companies, but that would require enough demand (and potentially redundant networks so that you could choose to only use those that you deemed secure enough).
People haven't really groked that the physical things in their life that run software may actually be controlled by someone else. That is a pretty foreign concept, but I'm hoping that once it really sinks in we'll see some real businesses that specialize in keeping your software working for you (not just anti-virus). At that point free software will have an insurmountable advantage over proprietary.
Re:You can put anything on iPhone without a jailbr (Score:3, Interesting)
A good chunk of developer freedom is tied up in distribution.
If you're allowed to develop, but not distribute, then your freedom as a developer has been compromised. Consider the various free applications available from the Cedega app installer - there's no entrepreneurial angle there.
There would be nothing from stopping you distributing your code for an iOS app. In order for your "users" to install it though, they would need to pay the $99 fee for a developer license or be jailbroken. Your right as a developer to distribute software is still there, not very conveniently though but there none the less.
Re:Analytics for Mobiles (Score:5, Interesting)
So on the one hand we have a security researcher being quoted in the news and we are going on his word that he disassembled the software and found no evidence that it was capturing keystrokes. His credentials are that he discovered vulnerabilities in Linux.
On the other hand we have a video of an active android developer who originally found the CarrierIQ software showing via the Android debugger that when he presses a key on his Android device that key gets passed to and processed by Carrier IQ's running process, even though the key in question is a softkey used by a different application (the numbers on the phone dialler for instance which no app should have any business reading).
Sorry but so far I'm sceptical about the CNN article. Maybe someone can debunk exactly what's going on in the video which was posted then the CNN article and the security researcher's claims would be more valid. They have the burden of proof at this point.