The Thin Red Line between Quality Control and Root Kit Privacy Invasion
December 1, 2011 Leave a comment
- Mobile carriers only want to make sure our traffic is OK; they just forgot to ask.
- Anything put on an open platform can be taken off, but what about the ethics behind such actions?
Carrier IQ (CIQ) is a very discreet U.S. software company with an application which it claims helps network providers diagnose a range of problems on Android devices, including identifying user location, causes of premature battery drainage, dropped calls, and other system problems. The reason for discretion is the fact that the app is preloaded onto mobile phones before being sold to customers, and once loaded, it is very hard to spot, has a wide range of preset permissions to monitor and report any and all user activities on the device to the carrier, and cannot be turned off. In other words, CIQ meets the definition of a root kit.
While CIQ has not managed to develop the app for iOS or BlackBerry devices, as these platforms are more locked down, the company had the audacity to threaten to bring legal action against the Android developer who claimed the company’s diagnostic application amounted to a rootkit that posed a privacy threat to millions of handset owners. CIQ’s carrier customers are understandably reticent about acknowledging use of the app, but the security researcher who unearthed it is an AT&T and Sprint customer, so it is probably prevalent – at least among U.S. Android users. However, while anything installed on an open platform such as Android can obviously be uninstalled, in this case, it requires re-flashing of the phone’s ROM (how to find it and instructions for its removal are already available on YouTube, of course).
Still, we are left with uncomfortable questions, specifically: How much can service providers spy on customers’ activities without an open opt-out clause (many users would probably welcome some kind of log they could upload if they have a technical problem)? Who gets access to this information and what kind of security clearance do they have? Is there any kind of public scrutiny of these practices? Would you trust an Android device with your corporate communications, or a carrier who surreptitiously puts such apps on handsets sold to enterprise customers? These questions will only get harder as we ramp up the use of smartphones for a wide range of mobile data activities. Does this affect your future attitude to open platforms, or make you wary of carrier snooping?