When popular
Chinese handset maker Xiaomi Inc admitted that its devices were sending
users' personal information back to a server in China, it prompted howls
of protest and an investigation by Taiwan's government.
The affair has also drawn
attention to just how little we know about what happens between our
smartphone and the outside world. In short: it might be in your pocket,
but you don't call the shots.
As
long as a device is switched on, it could be communicating with at least
three different masters: the company that built it, the telephone
company it connects to, and the developers of any third party
applications you installed on the device - or were pre-installed before
you bought it.
All these companies
could have programed the device to send data 'back home' to them over a
wireless or cellular network - with or without the user's knowledge or
consent. In Xiaomi's case, as soon as a user booted up their device it
started sending personal data 'back home'.
This,
Xiaomi said, was to allow users to send SMS messages without having to
pay operator charges by routing the messages through Xiaomi's servers.
To do that, the company said, it needed to know the contents of users'
address books.
"What Xiaomi did
originally was clearly wrong: they were collecting your address book and
sending it to themselves without you ever agreeing to it," said Mikko
Hypponen, whose computer security company F-Secure helped uncover the
problem. "What's more, it was sent unencrypted."
Xiaomi
has said it since fixed the problem by seeking users' permission first,
and only sending data over encrypted connections, he noted.
INDUSTRY ISSUE
Xiaomi is by no means alone in grabbing data from your phone as soon as you switch it on.
A
cellular operator may collect data from you, ostensibly to improve how
you set up your phone for the first time, says Bryce Boland, Asia
Pacific chief technology officer at FireEye, an internet security firm.
Handset makers, he said, may also be collecting information, from your
location to how long it takes you to set up the phone.
"It's
not that it's specific to any handset maker or telco," said Boland.
"It's more of an industry problem, where organizations are taking steps
to collect data they can use for a variety of purposes, which may be
legitimate but potentially also have some privacy concerns."
Many
carriers, for example, include in their terms of service the right to
collect personal data about the device, computer and online activities -
including what web sites users visit. One case study by Hewlett-Packard
(HPQ.N) and Qosmos, a French internet
security company, was able to track individual devices to, for example,
identify how many Facebook (FB.O) messages a user sent. The goal: using all this data to pitch users highly personalized advertising.
But some users fear it's not just the carriers collecting such detailed data.
Three
years ago, users were alarmed to hear that U.S. carriers pre-installed
an app from a company called Carrier IQ that appeared to transmit
personal data to the carrier.
Users filed a class-action lawsuit, not against the carriers but against handset makers including HTC Corp (2498.TW), Samsung Electronics (005930.KS) and LG Electronics (066570.KS) which, they say, used the software to go beyond collecting diagnostic data the carriers needed.
The
suit alleges the handset firms used the Carrier IQ software to
intercept private information for themselves, including recording users'
email and text messages without their permission - data the users claim
may also have been shared with third parties. The companies are
contesting the case.
And then there
are the apps that users install. Each requires your permission to be
able to access data or functions on your device - the microphone, say,
if you want that device to record audio, or locational data if you want
it to provide suggestions about nearby restaurants.
SHEDDING SOME LIGHT
But
it isn't always easy for a user to figure out just what information or
functions are being accessed, what data is then being sent back to the
developers' servers - and what happens to that data once it gets there.
Bitdefender, a Romania-based antivirus manufacturer, found last year
that one in three of Android smartphone apps upload personal information
to "third party companies, without specifically letting you know."
Not only is this hidden from the user, it's often unrelated to the app's purpose.
Take
for example, an Android app that turns your device into a torch by
turning on all its lights - from the camera flash to the keyboard
backlight. When users complained about it also sending location-based
data, the U.S. Federal Trade Commission forced the app's Idaho-based
developer to make clear the free app was also collecting data so it
could target users with location-specific ads. Even so, the app has been
installed more than 50 million times and has overwhelmingly positive
user reviews.
While most concerns are about phones running Android, Apple Inc's (AAPL.O) devices aren't free from privacy concerns.
Carriers
control the code on the SIM, for example, and this is one possible way
to access data on the phone. And, despite stricter controls over apps in
Apple's app store, FireEye's Boland says his company continues to find
malicious apps for the iOS platform, and apps that send sensitive data
without the user knowing. "The iPhone platform is more secure than the
Android platform, but it's certainly not perfect," he said.
Apple says its iOS protects users' data by ensuring apps are digitally signed and verified by Apple's own security system.
BACK IN THE DRIVING SEAT
The
problem, then, often isn't about whether handset makers, app developers
and phone companies are grabbing data from your phone, but what kind of
data, when, and for what.
"If we
look at the content sent by many apps it's mindboggling how much is
actually sent," said Boland. "It's impossible for someone to really know
whether something is good or bad unless they know the context."
Handset
makers need to be clear with users about what they're doing and why,
said Carl Pei, director at OnePlus, a Shenzhen, China-based upstart
rival to Xiaomi. OnePlus collects "anonymous statistical information"
such as where a phone is activated, the model and the version of
software that runs on it, Pei said, which helps them make better
decisions about servicing customers and where to focus production.
Unlike
Xiaomi, Pei said, OnePlus' servers are based in the United States,
which in the light of recent privacy concerns, he said, "gives people
greater peace of mind than having them based out of China."
That
peace of mind may be elusive as long as there's money to be made,
says David Rogers, who teaches mobile systems security at the University
of Oxford and chairs the Device Security Group at the GSMA, a global
mobile industry trade association.
"Users
are often sacrificed to very poor security design and a lack of
consideration for privacy," he said. "At the same time, taking user data
is part of a profit model for many corporations so they don't make it
easy for users to prevent what is essentially data theft."
Reuters