Rootkit on YOUR Phone Allows A Company You’ve Never Heard of to Spy on You – Plus how Other Corp. Tech Practices are Stripping your Privacy

If you use an Android, Symbian, BlackBerry, webOS or an iOS phone, virtually every keystroke you’ve ever made may have been captured by a rootkit belonging to a company called Carrier IQ that provides diagnostic tools used on over 141 million smartphones.

What is a rootkit? 

Wikipedia defines a rootkit as software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.

Where can I learn more about this issue?

Typing ‘Carrier IQ rootkit’ into a search engine will bring back over 2 million results showing just how large a firestorm was generated by the news of this spying. A great overview of what’s gone on can be found in this Computerworld article FAQ: Behind the Carrier IQ rootkit controversy.

Is what they’ve done legal?

This is unclear, but plenty of lawyers are unquestionably sharpening their knives and looking into it – as are legislators; see Sen. Franken Demans Answers from Company Accused of Secretly Logging Location and Private Information.

Furthermore, the Computerworld article reports that “the Electronic Privacy Information Center noted that the use of Carrier IQ’s software to log data may constitute an “unlawful intercept” of data under the ECPA”. And in “comments made to Forbes, former Justice Department prosecutor Paul Ohm said that the use of the software could be grounds for class action lawsuits based on federal wiretapping laws”.

The broader threat

If the allegations hold true this level of spying – or even engineering into the product the ability to spy – is a horrific breach of consumer privacy and trust. But it should also be a wakeup call of not only what’s technically possible, but what’s actually happening today under the radar of consumers.

Combine this breach of trust, privacy and decency with the last blog post I wrote Credit Score on Steroids to Track Consumers Every Financial Move, and my blogs The ‘Wiretappers Ball’ Threatens Internet Privacy, Civil Rights Get Trampled in Internet Background Checks, and It is Absolutely Critical that you Understand YOU Are the Digital World’s Currency.

What you’ll take away is the stark reality that the power of technology when steered by unethical corporate greed without strong regulatory oversight obliterates the principles of privacy.

I wanted to believe that the technology and corporate world’s plea for ‘self-regulation’ of the internet could work in spite of the long history of cases where self-regulation has failed (when hasn’t it?).

We’ve hit a point where not only has self-regulation failed, the damage caused by this colossal breach of consumer trust, privacy, safety, security, and dignity are close to irreparable for our generation.

This insidious threat to our way of life is as significant as any terrorist threat against the country.

Industry standards and best practices have not matured enough to compel the industry to adhere to the safeguards you deserve. As a result, and in spite of the fact that I am no fan of overregulation, without significant industry changes to improve their respect of your rights, legislation and oversight must be created to encourage the industry to act in a way that respects and protects consumers, as well as codifies and enforces our rights.

In 2005 I wrote an article titled Your Internet Safety Bill of Rights, and I made the article one of my first blogs when I created the website in the fall of 2006. Last year I updated that Bill of Rights to expressly address some of the newest methods companies and services are using to assault your safety, security and privacy.

Here is that updated version:

Your Internet Safety and Privacy Rights – Standards for Respectful Companies

ALL Internet users have the right to a safe Internet experience. Your safety and the safety of your family on the Internet should not be left to features a company adds at the last minute (“add-ons”) or those you have to pay extra for. You can’t buy a new car without safety belts or air bags; you shouldn’t have to settle for Internet products or services that fail to offer safety in the same basic way.

In a nutshell, every online consumer should have these rights:

ALL Internet users have the right to a safe Internet experience, and respectful companies strive to provide quality safety and privacy options that are easily discovered and used by consumers.  Your safety and privacy, as well as the safety and privacy of your family on the Internet should be core elements of online product and service design, not left to features a company adds at the last minute (“add-ons”) or those you have to pay extra for. You can’t buy a new car without safety belts, air bags or rigorous safety testing; you shouldn’t have to settle for Internet products or services that fail to offer safety in the same basic way.

In a nutshell, every online consumer should have these rights:

1. You have the right to an informed online experience.

  • You should be informed in advance about any potential safety or privacy risks in products, web programs and services such as an instant messaging program, a social networking site, a location technology, or with an Internet enabled device like cell phones, game consoles etc. so you can make safety and privacy choices that are appropriate to your circumstances.
  • You have the right to expect complete, easily understood, information about every safety and privacy feature in a product or service, and age appropriate recommendations by feature should be easy to discover.
    • At the bare minimum, you should be able to find site and feature specific safety information and tools through the website’s Help section.
    • Ideally services should provide just-in-time safety and privacy advice and tools at key points, such as when adding information, or when posting  photos.  This is particularly critical during signup and registration when, as part of that process you should be taken through the progression of establishing privacy and safety settings.
  • When services are upgraded, you have the right to be informed of new features or changes to existing features and their impact on your – or your child’s – safety or privacy in advance of the rollout. Additionally, you should have a clear way to opt out of, or block, any features you’re uncomfortable with.
  • You have the right to know the privacy and safety policies and practices of online products and services.
    • These should be easy to find and written in terms that are easy to understand.
    • The terms and practices of any third party applications a service uses, or passes users through to should be explicitly displayed as part of the transition process between services so you always understand the terms and conditions under which you’re protected – or exposed.  If there are privacy and safety choices offered by the third party application, customizing your settings should also be a part of the transition.
  • You have the right to receive advance notice of any intended changes in the terms and conditions that will affect your safety, privacy, or alter the terms in any  other substantial way, rather than being hostage to a site’s claim that their terms are ‘subject to change at any time’ where the onus is on you to discover any changes.  This notice may come in the form of an email, text, or during your next login experience.

2. You have the right to set your own terms for your online experience (within the constraints of the law).

  • Your personally identifiable information (PII), or indirectly identifiable information (III) is yours. With your permission, sites can be stewards of that information to manage and enhance your experience on the services they offer, but your identifiable, or indirectly identifiable information is not any company’s or entity’s asset – unless you have expressly given this permission and been offered a realistic option of using the service without giving this permission.
    • Case-by-case permission should be required from you prior to your information being used in any way that you have not explicitly agreed to.
  • You have the right to demand the removal of any content you have posted either on your own pages, or comments on other pages, and you have the right to demand removal of information the site has collected about you at any time.
  • You have the right to set boundaries so that you are only exposed to the level of potential risk or exposure you’re comfortable with, whether you’re more willing to take risks or more risk averse, or more or less privacy conscious. This extends to managing  the online experience of minors in your care.  This includes the ability to:
    • Select content that matches your values and blocks content you do not wish to see, no matter  your age.
    • Block individual users, groups of users, unknown users, or types of users from contacting you, no matter your age.
    • Know if you are being monitored online and how you are being monitored—such as which of your activities are being tracked and to whom they are is being reported or displayed. Children have this right, too.

3. You have the right to expect online products and services to guard your safety and privacy.

  • You have the right to feel confident that products and services will not be released to the public without undergoing rigorous safety, privacy, and legal reviews and testing.
  • You have the right to easily report abuse of the products or abuse through the products of you or someone in your care.
    • You have the right to expect a response to your issue, and to expect immediate corrective action from the company when appropriate.
    • You should be able to see statistics demonstrating how well the company enforces its policies.
  • You have the right to expect a “product recall notice” or alert if a significant safety or privacy risk is discovered in an online product or service you or someone in your care is using.

Your safety rights won’t be established in Internet services overnight, but if you let companies and other online entities know what you demand, they will surely be delivered faster.

As consumers you can—and should—vote with your feet if the experience you’re having on a service doesn’t meet your expectations. You can and should be able to report companies that fail to protect your safety and privacy to appropriate authorities and have swift and decisive measures taken against those companies.

Make a difference, your privacy and way of life, and that of your children, is on the line.



Comments are closed.

%d bloggers like this: