WHAT YOUR SMART PHONE DOES BEHIND YOU
When popular Chinese handset
maker Xiaomi Inc admitted that its devices were sending users' personal
information back to a server in China, it prompted howls of protest and an
investigation by Taiwan's government. The affair has also drawn attention…
The affair has also drawn
attention to just how little we know about what happens between our smartphone
and the outside world. In short: it might be in your pocket, but you don't call
the shots.
As long as a device is
switched on, it could be communicating with at least three different masters:
the company that built it, the telephone company it connects to, and the
developers of any third party applications you installed on the device - or
were pre-installed before you bought it.
All these companies could have
programmed the device to send data 'back home' to them over a wireless or
cellular network - with or without the user's knowledge or consent. In Xiaomi's
case, as soon as a user booted up their device it started sending personal data
'back home'.
This, Xiaomi said, was to
allow users to send SMS messages without having to pay operator charges by
routing the messages through Xiaomi's servers. To do that, the company said, it
needed to know the contents of users' address books.
"What Xiaomi did
originally was clearly wrong: they were collecting your address book and
sending it to themselves without you ever agreeing to it," said Mikko
Hypponen, whose computer security company F-Secure helped uncover the problem.
"What's more, it was sent unencrypted."
Xiaomi has said it since
fixed the problem by seeking users' permission first, and only sending data
over encrypted connections, he noted.
Industry issue
Xiaomi is by no means alone
in grabbing data from your phone as soon as you switch it on.
A cellular operator may
collect data from you, ostensibly to improve how you set up your phone for the
first time, says Bryce Boland, Asia Pacific chief technology officer at
FireEye, an internet security firm. Handset makers, he said, may also be
collecting information, from your location to how long it takes you to set up
the phone.
"It's not that it's
specific to any handset maker or telco," said Boland. "It's more of
an industry problem, where organisations are taking steps to collect data they
can use for a variety of purposes, which may be legitimate but potentially also
have some privacy concerns."
Many carriers, for example,
include in their terms of service the right to collect personal data about the
device, computer and online activities - including what web sites users visit.
One case study by Hewlett-Packard and Qosmos, a French internet security
company, was able to track individual devices to, for example, identify how
many Facebook messages a user sent. The goal: using all this data to pitch
users highly personalized advertising.
But some users fear it's not
just the carriers collecting such detailed data.
Three years ago, users were
alarmed to hear that U.S. carriers pre-installed an app from a company called
Carrier IQ that appeared to transmit personal data to the carrier.
Users filed a class-action
lawsuit, not against the carriers but against handset makers including HTC
Corp, Samsung Electronics and LG Electronics which, they say, used the software
to go beyond collecting diagnostic data the carriers needed.
The suit alleges the handset
firms used the Carrier IQ software to intercept private information for
themselves, including recording users' email and text messages without their
permission - data the users claim may also have been shared with third parties.
The companies are contesting the case.
And then there are the apps
that users install. Each requires your permission to be able to access data or
functions on your device - the microphone, say, if you want that device to
record audio, or locational data if you want it to provide suggestions about
nearby restaurants.
Shedding some light
But it isn't always easy for
a user to figure out just what information or functions are being accessed,
what data is then being sent back to the developers' servers - and what happens
to that data once it gets there. Bitdefender, a Romania-based antivirus
manufacturer, found last year that one in three of Android smartphone apps
upload personal information to "third party companies, without specifically
letting you know."
Not only is this hidden from
the user, it's often unrelated to the app's purpose.
Take for example, an Android
app that turns your device into a torch by turning on all its lights - from the
camera flash to the keyboard backlight. When users complained about it also
sending location-based data, the U.S. Federal Trade Commission forced the app's
Idaho-based developer to make clear the free app was also collecting data so it
could target users with location-specific ads. Even so, the app has been
installed more than 50 million times and has overwhelmingly positive user
reviews.
While most concerns are about
phones running Android, Apple Inc's devices aren't free from privacy concerns.
Carriers control the code on
the SIM, for example, and this is one possible way to access data on the phone.
And, despite stricter controls over apps in Apple's app store, FireEye's Boland
says his company continues to find malicious apps for the iOS platform, and
apps that send sensitive data without the user knowing. "The iPhone
platform is more secure than the Android platform, but it's certainly not
perfect," he said.
Apple says its iOS protects
users' data by ensuring apps are digitally signed and verified by Apple's own
security system.
Back in the driving seat
The problem, then, often
isn't about whether handset makers, app developers and phone companies are
grabbing data from your phone, but what kind of data, when, and for what.
"If we look at the
content sent by many apps it's mindboggling how much is actually sent,"
said Boland. "It's impossible for someone to really know whether something
is good or bad unless they know the context."
Handset makers need to be
clear with users about what they're doing and why, said Carl Pei, director at
OnePlus, a Shenzhen, China-based upstart rival to Xiaomi.
OnePlus collects
"anonymous statistical information" such as where a phone is
activated, the model and the version of software that runs on it, Pei said,
which helps them make better decisions about servicing customers and where to
focus production.
Unlike Xiaomi, Pei said,
OnePlus' servers are based in the United States, which in the light of recent
privacy concerns, he said, "gives people greater peace of mind than having
them based out of China."
That peace of mind may be
elusive as long as there's money to be made, says David Rogers, who teaches
mobile systems security at the University of Oxford and chairs the Device
Security Group at the GSMA, a global mobile industry trade association.
"Users are often
sacrificed to very poor security design and a lack of consideration for
privacy," he said. "At the same time, taking user data is part of a
profit model for many corporations so they don't make it easy for users to
prevent what is essentially data theft."
Mature Minds Talk.
Mature Minds Talk.
Lol......na wa o. Technology!!!
ReplyDelete