HTC gets Google envy with analytics gone awry
Independent security researcher Trevor Eckhart revealed yesterday that a recent software update to some HTC smartphones has accidentally given third party applications access to huge amounts of private data, including call logs, geolocation history, SMS data and a whole lot more.
The update surreptitiously installs a suite of applications logging users' interactions with their devices. When a device is first switched on, the user ostensibly has the option not to allow HTC to collect and use information. However, even if this option is selected, HTC quietly goes ahead and logs the information anyway. And to make matters a thousand times worse, this information is then made freely available to any third party application with permission to access the internet (which will be the majority of apps).
I'm giving HTC the benefit of the doubt and assuming the latter was a colossal technical error rather than anything more insidious. And they are by no means the only guilty party. Mobile phone carriers like Sprint are installing similar analytics services, offered by companies like Carrier IQ (details of which surfaced thanks to k0nane). Carrier IQ advertises mobile analytics via a software package buried deep within Android, and is deployed on a staggering 141 million devices. Its website claims:
"IQ Insight Experience Manager uses data directly from the mobile phone itself to give a precise view of how users interact with both their phones and the services delivered through them, even if the phone is not communicating with the network."
One must wonder why these companies are so keen on logging such a volume of information in the first place. To my mind, the answer is simple: Google envy. Google's staggering growth has demonstrated how profitable monetizing user behaviour can be, and most mobile operators are now desperate to cash in themselves. Throwing caution to the winds, they are approving the installation of analytics services on mobile and other devices that invade their customers' privacy in ever more underhand and intrusive ways. The justification for this is always the same - the collection of information in order to better 'personalize' content, 'improve your experience' and guarantee 'ease of use'. How nice of them.
'Ease of use' versus privacy and security is an old battle. Throughout the 1990s, Microsoft persistently emphasized 'ease of use' - leaving its systems wide open to intrusions and allowing an entire anti-virus software industry to blossom in its wake. Facebook has been stung time and time again as they recklessly 'opt-in' their entire userbase for features that share an extraordinary amount of users' information, only later adding some features to inform users and give them some ability to control information flows when using third-party applications.
In theory, it's true that knowing more about its customers might help a company improve its services - why else would the market research industry have been thriving for almost a century? But if a company is collecting information for these purposes, at the very least it has a duty to protect that information to the best of its abilities, and recent history tells us that this is not the case. For example, in 1996 and again in 2006, Telecom Italia suffered a breach that meant over 6000 individuals' communications were illegally monitored by criminals with the aim of perpetrating blackmail and bribery. In 2010, an IBM researcher found a Cisco switch designed to accommodate law-enforcement wiretapping that could be spoofed, allowing unauthorized parties to initiate eavesdropping. As communications security expert Susan Landau noted in her testimony to the US Congress in February this year, in that period "no large business or political deal was ever truly private".
Apple, Google and Microsoft have also hit the headlines over the past few months for their extensive location tracking. There was Apple's denial, the US Senate hearing and several subsequent lawsuits. But this is different - while other companies collect data in order to provide certain services, HTC aren't giving you mapping software or tools to help you connect with your friends. They are a hardware company. So why are they so desperate to hoover up private information that they're willing to deceive paying customers in order to do so?