Wednesday, November 30, 2011

Are Android smartphones subject to a massive security risk?

According to Wired online magazine, they certainly are.

The Android developer who raised the ire of a mobile-phone monitoring company last week is on the attack again, producing a video of how the Carrier IQ software secretly installed on millions of mobile phones reports most everything a user does on a phone.

Though the software is installed on most modern Android, BlackBerry and Nokia phones, Carrier IQ was virtually unknown until 25-year-old Trevor Eckhart of Connecticut analyzed its workings, revealing that the software secretly chronicles a user’s phone experience — ostensibly so carriers and phone manufacturers can do quality control.

But now he’s released a video actually showing the logging of text messages, encrypted web searches and, well, you name it.

Eckhart labeled the software a “rootkit,” and the Mountain View, California-based software maker threatened him with legal action and huge money damages. The Electronic Frontier Foundation came to his side last week, and the company backed off on its threats. The company told last week that Carrier IQ’s wares are for “gathering information off the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life.”

The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim.

. . .

By the way, it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ.

It’s not even clear what privacy policy covers this. Is it Carrier IQ’s, your carrier’s or your phone manufacturer’s? And, perhaps, most important, is sending your communications to Carrier IQ a violation of the federal government’s ban on wiretapping?

And even more obvious, Eckhart wonders why aren’t mobile-phone customers informed of this rootkit and given a way to opt out?

There's more at the link. A 17-minute video demonstration of the software in question may be viewed here. I also recommend following the links in the excerpt above to learn more.

I have three questions for Google (who produce the Android operating system), the smartphone manufacturers, and the cellular service providers who sell the phones and provide service to them:

  1. Why were consumers not informed about this intrusive, invasive tracking and logging of their most private and confidential information, up to and including banking passwords, etc.?
  2. What has been done with all, repeat, all of the information collected thus far? Has it been stored, and if so, in what form, and is such confidential information retrievable and identifiable as belonging to a specific individual?
  3. Why is there no opt-out provision so that consumers can decide for themselves whether they wish to permit such gross invasions of their privacy?

I want open, honest, public answers to those questions - not to mention an apology for their underhanded conduct from the companies concerned! Meanwhile, I'm rather glad that I don't use a smartphone. I think I'll stick with my old-fashioned cellphone, unless and until I can be more assured of my privacy when using something more sophisticated!


No comments: