Tuesday, December 6, 2011

You Will Be Known By the Company You Keep

There is an old saying that you are known by the company you keep. In the world of Android this is a very interesting and telling story of the lack of respect for privacy by the major players.

In March of 2011 Twitter and the FTC reached a settlement brought on by Twitters gross negligence in the protection of private information they were responsible for.

Also in March of 2011 The FTC and Google reached a settlement brought on by Google’s deceptive practices and violations of privacy policies in the launch of Buzz. In a nutshell, Google abused the access to Gmail user’s contact information to expose confidential information without consent or approval of the users.

In November 2011 Facebook reached a settlement agreement with the FTC because Facebook abused its access to consumer data.

In all of these cases what is clear is that these are companies who through incompetence, greed, or malice have demonstrated that they cannot be trusted to keep their word and deal with consumers data with honesty, respect and integrity. Personal information entrusted to these companies cannot be expected to remain as confidential as promised.

The big buzz in the Android space is Carrier IQ. Carrier IA is a company that makes a rootkit that secretly records a ton of private information. It really isn’t just Androids, many iPhones have the software and reportedly so do Blackberrys.

So who is in the company of these privacy deficient companies? Why T-Mobile, of course. T-Mobile almost certainly is not the only carrier to share their bed and perhaps your intimate thoughts with these strange bedfellows, but I have a T-Mobile phone, so I report from experience.

Facebook, Twitter, and Gmail came pre-installed on my HTC MyTouch 4G Slide and regardless of the track record of these companies, T-Mobile refuses to let users remove these applications. In all fairness there are also other applications that are useless to many users, but look a lot like spyware and T-Mobile will not allow the removal of the applications. T-Mobile also never obtained informed consent from consumers to share data with these companies through their ad supported software. In other words, T-Mobile installs software that may be siphoning off private information without informing the consumer or obtaining consent.

Ironically, Carrier IQ is one of the few programs that might be actually doing something required to improve the functionality of the devices it is installed on and that is the focus of class action lawsuits and congressional investigation. It really is a travesty. The class action lawsuits and congressional investigations need to be focused on carriers forcing consumers to disclose confidential information without notification, consent, or the ability to remove invasive software that is not required for functionality.
In the coming days I will report on some other applications that appear to be preinstalled spyware. One such application is a demo of Bejeweled 2. I am to have a conversation with an executive from Electronic Arts today to discuss my concerns that Bejeweled 2, the demo version that is preinstalled on my phone, may be spyware. I look forward to a respectful and informative conversation and will report back the results. It may take a while as the executive may need to do some research into why some things are designed the way they are and what, if any, corrective actions might be taken.

The bottom line is that Carrier IQ has made people look the wrong way so they you don’t see the potentially massive data leaks form the software on your phone that is in plain sight.

Yes T-Mobile, those known to be some of most egregious violators of privacy and respect are the company you keep and appear to emulate.

It really is time for the FTC and congress to take an informed look at mobile providers and cell phone manufacturers. Carrier IQ is the tip of the iceberg.

Randy Abrams
Independent Security Analyst
Updated: Electronic Arts, rather than Entertainment Arts. Thanks for the heads up Jon Poon!

1 comment: