Wednesday, November 30, 2011

Your phone does not respect your privacy

Srlsy.



Trevor Eckhart found an app called CarrierIQ that records all your key presses, geographic location, and the messages you receive.  It also periodically communicates with CarrierIQ's web site, presumably to upload this data.

Here's where the plot thickens.  CarrierIQ sued Eckhart to silence him.  The Electronic Frontier Foundation came to his aid, and so Eckhart posted his information.  And as it turns out, CarrierIQ doesn't deny that they're doing this:

In an interview last week, Carrier IQ VP of Marketing Andrew Coward rejected claims the software posed a privacy threat because it never captured key presses.

“Our technology is not real time,” he said at the time. "It's not constantly reporting back. It's gathering information up and is usually transmitted in small doses.”

Coward went on to say that Carrier IQ was a diagnostic tool designed to give network carriers and device manufacturers detailed information about the causes of dropped calls and other performance issues.
We had to spy on the village in order to save it.  Or something.

I call this sort of thing "spyware".  The reason is that it's sneaky - nobody knew it was there until Eckhart released his information.  It's running silently on millions of Android devices.  There's nothing in the EULA (well, nothing that I can see, which brings us back to that "sneaky" bit) that says they're recording and uploading this "for purposes of debugging".

So caveat emptor.  You may want to jailbreak your Android phone, to wipe this out.  It looks like it's not easy - back to the "spyware" bit.

Me, I think I'm going to go back to the Motorola Brick.

(Image source)

UPDATE 6 December 2011 16:33: The company issues a denial, with considerable technical information.  The technical press seems to find that credible.  I'm not so sure, but you know how nasty and suspicious I am.

Still want a Brick Phone, for that retro-techno chic.

10 comments:

bluesun said...

So this is something that is already installed? On all phones?

An Ordinary American said...

When I retired a few years ago, I tossed my "do it all" cell phone in the lake one day while out on the boat.

Went and got a basic pay-as-you-go flip-phone and have not looked back.

Older I get, the less I want to have anything to do with more and more people. So why would I want a phone that facilitates social activity when I'm growing more and more anti-social?

George Orwell only missed it by a few decades.

--AOA

Borepatch said...

bluesun, it looks like this is installed on all Android phones (or at least, most of them).

bluesun said...

Sigh.

NotClauswitz said...

Fortunately or not the prohibitive co$t of a monthly plan precludes my use of a smartphone, so instead I/we have a T-Mobile pay-as-you-go Sony-Ericcson anon-a-phone with a 2MP camera I got off eBay.

Broken Andy said...

Borepatch, didn't you dump your iPhone because they accidentally leaked cell tower information? This sounds completely intentional. You gonna dump Android now?

BTW, nobody knows how bad this is. I watched the video and so far all we see is a daemon sending system events to the debug log. Nowhere does he prove what is actually sent to CarrierIQ. And the bit about HTTPS encryption being thwarted is hype. Unless I see a network dump, it is unproven. A plain text password showing up in a URL is a sign of a badly designed webapp, but it doesn't prove HTTPS encryption is being bypassed.

Borepatch said...

What was that, Andy? Sorry, I was brushing my Wookie Suit.

;-)

But do know what I want to hack (assuming I didn't only use my Powers for good)? A snooping app that was poorly coded but installed on millions of devices. Just sayin'.

SiGraybeard said...

Motorola Brick? Clear, unencrypted analog AMPS FM?

Yeah, well, I suppose you'd have to figure out how much worse it is. It's not like landline phones are secure, either.

Broken Andy said...

"app that was poorly coded but installed on millions of devices"

You've just described 20 years of Windows prevalence. :)

Linux FTW! Oh wait. Android is Linux.

Anonymous said...

Well had my landline tapped because a neighbour of mine was selling drugs, I miss the telltale clicking sound. I had fun accusing the various authorities of having small weiners.