Wednesday, December 14, 2011

Why root access matters

I have long held the belief that a person should have complete and total control of his digital devices.  While this is largely because I think if a person shells out for a high tech toy, she should be able to run whatever software she likes, tweak any and all settings, and so on.  Some insufficiently suspicious folks called me paranoid when I would mention that without full control of the device, you can't be sure that all the software running on it is benign.

About two weeks ago, it was learned that several cell phone carriers have been shipping Android phones with a hidden application called CarrierIQ installed.  This application can do things like monitor the phone's location via GPS, and check signal quality as well.  In addition to this, it can monitor text messages for specific strings and what URLs have been visited.

Yesterday, the FBI declined a Freedom of Information Act request about the software on the grounds that the information was related to "a pending or prospective law enforcement proceeding".  Today, the EFF reported that they believe keystroke data is being inadvertently transmitted to third parties.

It is important to note that at least some (if not all) of the information CarrierIQ gathers does serve legitimate diagnostic purposes.  In my line of work we occasionally need to perform packet inspection to resolve various network issues.  There is a very large and very real potential for privacy abuse here, but it doesn't happen.  While it is true that there are a variety of policies and procedures to make sure that our customers' privacy is respected, we simply don't have the time to dig through other people's packets. 

Carrier IQ probably is not slinging your text messages and browsing history off to the CIA (that'd be much easier to do on the carrier's network anyway).  None the less, if people had full control of their phones in the first place, this application would not have been hidden, and not gone unnoticed for an undetermined period of time.

Anyone who hides things from you on devices you own or tries to keep you in a walled garden is not your friend.

No comments:

Post a Comment