A few days ago I asked whether Android smartphones were subject to a potentially massive security risk, with the discovery that Carrier IQ software is tracking almost every keystroke made on them, every Web site visited, etc.
The story gets "curiouser and curiouser", as Lewis Carroll's Alice might have observed. CNN reports:
The company behind the now-notorious Carrier IQ software that has been found to log every keystroke pressed, website visited and text message sent by 150 million mobile phone users said Friday it was shocked to learn that its software was doing that.
. . .
Coward insisted that the Carrier IQ software was not responsible for the logging of keystrokes and other user data. He said the program does not need to log that kind of information to serve its purpose of transmitting network diagnostic data to the phone's carrier.
Instead, Coward said the logging was happening at the operating system level, likely as a result of add-on software installed by the handset manufacturers. But he couldn't say for sure.
"We don't know enough at this point -- it's a very good question," Coward said.
Security experts say Carrier IQ's preliminary explanation makes sense, and it's at least conceivable that the company was "surprised" to learn that its app was logging data. But Carrier IQ isn't blameless.
"If the company says it's surprised, that indicates the handset manufacturers inserted some debugging code that the manufacturers are turning on when they shouldn't be," Rosenberg said. "But that still means Carrier IQ has some debugging mode built into it that is capable of logging everything. I'm not sure who wrote code, but that was a poor decision."
The fact that Carrier IQ itself doesn't know what's going on with its own application shows just how murky, complicated and entangled the debacle has become. The result is a lot of finger pointing: Spokesmen from HTC and Samsung both told CNNMoney that carriers forced them to install the program.
The wireless providers that have acknowledged using Carrier IQ -- AT&T (T, Fortune 500), Sprint (S, Fortune 500) and T-Mobile -- are all deflecting questions about the software's detailed logging to Carrier IQ. Which, in turn, is pointing back to the manufacturers' implementations of its software and saying that's where the problem lies.
The manufacturers, most of whom are sticking to painstakingly worded statements, are still trying to sort out their role in this mess. A Samsung spokesman said the company was digging into the issue and would have a comment later.
HTC tossed the hot potato onward: "Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we'd advise them to contact their carrier," a company spokesman said in a prepared statement.
. . .
Regardless of whoever is ultimately responsible, the app continues to raise privacy concerns. A stolen phone that hasn't been turned off -- a common occurrence among cell phone users -- could be a gold mine for hackers, who would have access to literally everything a user has done or said on the device since it was last powered down.
There's more at the link. I highly recommend reading the article in full, to get some idea of how complicated and legally murky the situation has become.
Right now, it seems that a company wrote software to track everything a smartphone user does; the providers of network services to smartphones insist that it be used; the manufacturers of the smartphones insist that they only install it because the service providers insist on it; and all parties concerned deny that they're doing anything unethical, immoral or illegal, and blame each other for the existence of the problem in the first place!
Sounds like a good reason to avoid buying and/or using any smartphone, if you ask me . . .
Peter
Occam's razor.
ReplyDeleteOption 1) Carrier IQ accidently left a bug in the software that multiple telecom companies found, allowing remote data logging. The telecoms deliberately hid this as a concealed process that could not be turned off and continued even if the phone was not hooked to their network.The telecoms did this only for the purposes of improving the customer experience.
Or
An espionage agency arranged to have the program installed as part of a surveillance programme and the Telecoms went along with it.
Which seems more likely?
I work in the IT field and have done my share of programming. The article makes sense. Most programmers will add some kind of debugging code that logs anything that "might be useful". And few actually bother to take ot out of the finished product, just because it might be useful later, so they will just turn it off when it goes into production.
ReplyDeleteIf the handset manufacturer finds that code, I can see how they could think it "might be useful" to turn it back on, without actually meaning to spy as such. They'll just think that maybe they will have use for it later on to improve their service.
That's just how many in the IT field thinks, they really cant separate the concepts of "what we can do" and "what we should do". The fact that such logging can be misused probably didn't enter their minds, they just intend to use it to improve.
This of course does not change any of the privacy concerns, nor the outrage, but I think it's important to know why such things happens so others can be discouraged from doing similar programming.
Personally i make an effort to not store customer information. Whenever i set up a user account I never store the password in a list, I dont keep any user profiles, and I turn off all logging when going into production. I also try to minimize detailed logging and only add it temporarily when debugging a certain issue.
But being a programmer, adding that kind of code to a program is very tempting, and the only thing very preventing it is strict guidelines from management that it is not to be done.
radagast, option 2 there occured to me as soon as the story first aired.
ReplyDeleteThe third option is that they're selling the info under the table, to the highest bidder(IE: really crooked business).