Amid widespread concern over an obscure piece of smart-phone diagnostic software that some experts say could be used to collect and transmit sensitive information, a leading academic has called on the industry to give users a one-click way to see what their gadgets are actually doing.
“It would be good to have some form of auditing function built into our devices,” says Jonathan Zittrain, a Harvard Law School professor and cofounder of the Berkman Center for Internet and Society. “The auditing function can be implemented by Apple and by handset makers through Android. Make it part of the ‘About’ tab. And it would show with whom the phone has been communicating and the sorts of things it has been sending.”
Zittrain raised the idea in an interview following a controversy over software developed by a small company called Carrier IQ. Installed on at least 140 million phones, the software is designed to operate in the background and send performance data from handsets to telecom carriers, allowing carriers to diagnose dropped calls and obtain other network information.
The company was thrown on the defensive recently when a security researcher, Trevor Eckhart, said the software collected more sensitive information including “geographical location of the device, the end user’s pressing of keys on the device, [and] usage history of the device,” and posted a video showing the software capturing the text of his text messages, Google search terms, and location information—even though he’d disabled his GPS.
Carrier IQ has taken issue with the dark implications of the researcher’s report. It says the details of the implementation were up to handset makers and that its product didn’t “record, store, or transmit” personal information. That stance has been backed up by some researchers who have nonetheless called for tighter control over what the software can do and—echoing Zittrain’s proposal—for more visibility for end users.
Already, some members of Congress have gotten involved, with Senator Al Franken, of Minnesota, demanding from Carrier IQ a detailed accounting of what data was collected and who got it, including whether law enforcement ever sought or obtained permission to use the technology as a back door for surveillance. The company is slated to reply to those questions on December 14.
Gain the insight you need on security at EmTech Digital.
Watch video from the event