viernes, 2 de diciembre de 2011

Carrier IQ gives the game away - ZDNet UK

It is the stuff of nightmares. A hidden piece of software called Carrier IQ is discovered in millions of mobile phones. It seems to be monitoring everything the unsuspecting users do — keystrokes, calls, emails, texts, web browsing, location sensing — and there's no way to turn it off.

Devoid of the normal user agreements or controls, it looks very much like a rootkit: indeed, from its nature and behaviour, there seems no other way to describe it.

The first discovery is made in Android, which has an open nature conducive to investigation. But it turns out that the same software is present on other platforms. Is this the long-awaited malware invasion of mobile? The anti-malware vendors must have been besides themselves with joy: but any such feelings would be premature. It turns out that the mobile phone carriers put it there themselves. Carrier IQ exists to give them intimate details of the phones' operation.

Carrier IQ monitors mobile users' activities. Image credit: Trevor Eckhart/YouTube

Cue the outrage. For a while, it seems as if the discovery of the true nature of Carrier IQ makes it even worse than being hacked by the People's Liberation Army Third Department's Seventh Bureau (61580 Unit) — the Beijing equivalent of GCHQ. Spies and criminals, well, they're supposed to attack us: when our mobile networks do it, that's betrayal.

But while the nature and distribution of Carrier IQ is undisputed, its intention is not so clear. Claims and counterclaims continue, but the most generous interpretation of its existence is also the most likely: it is there, as its creators say, to gather anonymous data to help the networks spot problems and optimise their systems. It also helps diagnose individual problems, letting the operator check what's happened on a phone and fix it.

Three cardinal errors 

These are good, probably essential, things to do. So why do so many people assume the worst? Why is people's opinion of the mobile networks on a par with their opinion of communist spies? The operators made three cardinal errors: They tried to hide that which should not be hidden, they kept quiet that which should be told, they did not ask that which should be asked.

If what you're doing is legitimate, educate the users on how they benefit from opting in; if you can't persuade them, you shouldn't be doing it.

If you have diagnostic software that collects data from your users: be open about it. Make it obvious what it is and what it's doing. Otherwise, the assumption is you have something to hide, and if you're a company with a reputation for holding your users in disdain — as all mobile operators are — that assumption will include the worst possible interpretation of why.

More than not hiding it, you should actively tell people about it. Make it a feature. Advertise it. Tell the users: "We constantly monitor the quality of our network, with your help: here's how you are making all our experiences better." More importantly, be ruthlessly transparent about what data you're collecting and when, and what you do with it.

It's OK to make money at this, but be honest. Hire the best independent security teams, and ask them to audit your process. 'Anonymous' data collection so frequently isn't. Guess what: proving you do what you say is what your users need to see.

And more than talking about it, ask first. Get your users to opt in. The entire industry lives in fear of opt-in, thinking — rightly — that so few people will say yes that the services won't get critical mass.

But the problem there isn't that the users are churlish, it's that they don't trust you. And you don't build trust by more layers of deceit: at some point, you'll be regulated in ways you don't like. If what you're doing is legitimate, educate the users on how they benefit from opting in; if you can't persuade them, you shouldn't be doing it.

The problem with Carrier IQ isn't in the software or the data, it's in the culture that hid it, denied it, and took control away from the users. If the mobile network operators want to be held in more esteem than 61580 Unit, they should start to act as if they deserve it. Open up.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

No hay comentarios:

Publicar un comentario