Tinkerer, Carrier, Rootkit, Spy
Do our smartphones spy on us? That's what millions of users want to know after a security researcher revealed the widespread use of an app from Carrier IQ, which makes software intended for network metrics but which perhaps could be used to do much more. Meanwhile, AT&T faces off with the FCC, Facebook gets ready for Wall Street, and security wonks light a fire under printer makers.
12/03/11 5:00 AM PT
The company Carrier IQ became an overnight pariah this week after a security researcher published information suggesting that software it makes could potentially be used to significantly violate the privacy of millions of smartphone users.
The researcher is Trevor Eckhart, and he said that the way Carrier IQ's application is used could allow it to tell your cellphone carrier all sorts of things about when and how you use your phone -- info like what applications you use, geographic location, what buttons are being pressed and usage history -- all without you knowing. Since stuff like URLs, text messages, credit card numbers and who knows what else are all entered by way of the phone's keypad, it seems Carrier IQ could be used to spy on some very sensitive stuff.
So why would anyone who's not a malware-slinging cybercrook ever put something like that on someone's phone without telling them? Well, Carrier IQ is actually meant to be a metrics service for use by wireless carriers. They tuck this app into users' phones to get a better idea of how their customers are using the network and get a highly detailed picture of what kind of performance they're seeing.
That's the way it's supposed to work, anyway. But Eckhart says that the way Carrier IQ looks in its raw form is very different than how it looks once it's been cooked into the phones wireless carriers sell. Straight Carrier IQ software is up front with the user about its presence -- it has you filling out forms when there's a problem, volunteering info and generally serving the same purpose as the comment card the waiter hands you when you're paying your bill at a restaurant.
But once carriers get their hands on Carrier IQ, according to Eckhart, they make it work behind the scenes. Most users aren't even aware it's there. So instead of asking for comments, the waiter's hiding under your table, listening to what you're saying about the restaurant and possibly overhearing a lot of other stuff too. From Eckhart's point of view, the software should be characterized as a rootkit.
Once the story began circulating, carriers and phone makers wasted little time distancing themselves from Carrier IQ, if they could honestly do so. Verizon, Research In Motion and Nokia told us they don't use the software, and HTC reportedly said that if you find it in their phones, it wasn't their decision -- talk to your carrier. The software is reportedly found in some iPhones -- Apple dumped it when it came out with iOS 5, but even if you're running something older, it's limited in what it reports and it's only active when the phone's in diagnostic mode.
Meanwhile, the news caught the attention of at least one U.S. senator. Minnesota's Al Franken has written a letter to Carrier IQ demanding to know exactly what kind of data the software logs, under what circumstances it's transmitted, to whom, what's done with it, how long it's kept, how it's protected, and why the company doesn't think it's in violation of federal privacy laws.
Listen to the podcast (12:40 minutes).
Not So Fast ...
AT&T had a really rough run-in with the FCC, and now it looks like it may have to drastically change its plan to buy up T-Mobile -- or just give up on that plan entirely.
The wireless carrier already had one federal agency to deal with. The U.S. Department of Justice initiated a lawsuit a few months ago to block the deal from going through, though leaving open the possibility of working it out with a few key concessions.
Then the FCC wanted to have its say as well, and it was pretty clear from the beginning that it would not be in favor of the proposed $39 billion acquisition. In fact, AT&T was so certain that the FCC would beat its proposal to a bloody pulp that it opted to pull the proposal entirely before the FCC's comments were released, perhaps hoping that things could later be dealt with more quietly in a revised application.
But the FCC decided to publicly release its take on the deal anyway, never mind that the proposal it referenced had already been officially disowned by AT&T.
And a bloody pulp it was. The FCC refuted nearly every major point AT&T had tried to make about how the merger would be beneficial to the market. Plenty of competition left? No, said the FCC, it would create a duopoly. Create jobs? More like kill them. Give AT&T the resources it needs to expand next-generation services? The company could do it alone for a fraction of the $39 billion it wants to pay for T-Mobile.
If the deal is officially sunk, it will cost AT&T $4 billion, an amount the carrier's already set aside on its books now that prospects look so dim. But even if the deal as we know it is killed, there remains a possibility for a plan B -- a possible joint venture with T-Mobile parent Deutche Telecom.
The tech industry had a bit of an IPO spasm over the last few months, but lately it looks like going public just might be going out of style. Groupon took off initially, but share value quickly started to act really unstable. Meanwhile on Wall Street, LinkedIn's looking kind of meh, Pandora's barely limping along, and there's much anxiety over what's going to happen to Zynga when it goes public, which could happen this month.
The way things are shaping up, the first half of next year may not be a great time for a giant, groundbreaking IPO, but it looks like Facebook is going to go for it anyway. It's drawing up plans right now to go public in the second quarter of 2012, according to a report in The Wall Street Journal.
Being able to buy a piece of Facebook without having to be an Extra Special Person is something tech investors have been waiting on for years, and if they were expecting something big, they won't be disappointed. Facebook's IPO could be the biggest ever in the tech industry: It's rumored to be on the hunt for $10 billion. That figure would place the company's value upwards of $100 billion, about double what Goldman Sachs thought it was worth when it bought a piece a year ago for $1.5 billion.
Still, hitting that $10 billion mark is going to be a lot to ask for, especially if the economy doesn't seriously pick up over the next six months. But perhaps a company like Groupon isn't exactly the best comparison to Facebook if you're looking for a cautionary tale. Groupon doesn't have the user base, the popularity or, most importantly, the profitability of Facebook. Groupon's coupon service relies a lot on partnerships with mostly small- and medium-sized businesses, and it's not universally loved in that circle.
Facebook has 800 million members, they're all over the world, they tell it all sorts of personal details about themselves, many are thoroughly addicted, and the network can squeeze every little bit of intel it knows about them to benefit advertisers. The biggest Internet company in the world has taken its best shot at competing with Facebook, but it hasn't been able to draw any real blood.
But back to the matter of timing. Why would Facebook jump in at what might be a sour time for an IPO if it doesn't have to? Why not wait a while for the economy to pick up? There's the matter of having more than 500 individual investors -- at that point, by law a company has a limited amount of time before it has to open its books to the public. But that rule only mandates financial transparency, not a public stock offering.
What going public will do is pay off Facebook as a company, as well as some of its most important employees. Once that stock is publicly tradable, some of Facebook's most valuable and longstanding workers will suddenly become really, really rich, and they probably prefer that to happen sooner rather than later. Also, Facebook is on top of its game right now, and who knows -- maybe this is as good as it gets for the company as a private entity. Wait any longer and the glow may start to fade.
Facebook's future activities will take place under new federally mandated standards in regard to privacy, though. That's thanks to a settlement with the U.S Federal Trade Commission, the details of which were just recently made public.
The mess started about two years ago. I suppose some would tell you that the real mess started sometime in 2004 in Mark Zuckerberg's dorm room, but in December of 2009, Facebook made some significant changes to the system users have for managing their privacy settings, and for a while many Facebook members' personal info was much more accessible than they may have wanted it to be. Everyone had the chance to log on and fix things to their liking, but the fact that the network took the liberty of making certain info public in the first place, all without asking, was a step too far, even for Facebook.
That incident was one of several cited by the FTC. The commission also said Facebook reneged on privacy promises made to members, threatened the health and safety of its users, and fibbed when it told them that third-party app makers could access only a limited amount of their personal info. In fact sometimes app makers could find out quite a lot about the people who were using their software. Together, these complaints all kicked off an FTC investigation.
Now that the investigation is complete, Facebook has agreed to conduct periodic privacy audits over the next 20 years and make future privacy changes opt-in, meaning nothing will change about the way a user's info is handled without that user's OK. It's also agreed to create a couple of new high-level positions for overseeing privacy issues full time.
So privacy gets a little more formalized at Facebook and future changes will be opt-in. It sounds like this will slow down the pace at which it shuffles around its policies concerning user info. But none of this is retroactive -- it doesn't make Facebook change anything back to the way it was, just the way it does things in the future, and in just eight short years this social network has already come a long way in budging the door open quite a lot, inch by inch. Some privacy advocates have criticized the FTC for not going further and doing something like fining Facebook for its mistakes, though they're generally glad that that the FTC at least put its foot down to some degree.
Bonfire of the LaserJets
I don't have any hard statistics on the matter, but I really get the impression that every passing year, computers give me fewer and fewer reasons to bash my head against my desk. Maybe I'm getting smarter. Or maybe I'm not paying attention. Perhaps I just don't sink into forehead-bashing despair as quickly as I used to. But maybe stuff really is getting more advanced and better designed.
One reason could also be that I don't use printers as much as I used to. Most printers can still very effectively drive users straight up the wall. Paper jam? There is no paper jam. PC Load Letter? What? Gah!
But the work of some researchers at Columbia University suggests printers could do a lot more damage than just raise your blood pressure or drive you to head injury. They said they were able to remotely hack into a Web-connected printer and change around its firmware settings -- and were able to feed it instructions that would make it heat up so much that it singed the paper inside it. If their research is valid, then I guess the worst-case scenario is that theoretically a dedicated hacker could burn your house down from halfway around the world.
They used an HP LaserJet printer to prove their point, and naturally that did not sit well with HP. The company rebutted that no customer has ever reported having their printer hacked into, and besides, their LaserJets have a heat failsafe feature designed to prevent the device from catching fire. It did note that there is a potential security vulnerability with some of its printers, but it's working on it.
And HP isn't necessarily the only kind of printer that could be preyed upon this way; it's just the brand these researchers were apparently successful with. It's possible that other Web-connected printers, or even ones hooked up to a Web-connected computer, could be broken into and changed around, with smoky results.