With Mobile Devices, Users Are the Product, Not the Buyer

A lot has been said about the Carrier IQ software, the way that it’s used by carriers and whether it’s capable of intercepting calls, texts and data on users’ handsets. It’s still not clear exactly what’s going on, but one lesson that has emerged from all of this is this: The mobile devices people buy and use for personal and sensitive taks every day simply do not belong to them.

Carrier IQA lot has been said about the Carrier IQ software, the way that it’s used by carriers and whether it’s capable of intercepting calls, texts and data on users’ handsets. It’s still not clear exactly what’s going on, but one lesson that has emerged from all of this is this: The mobile devices people buy and use for personal and sensitive taks every day simply do not belong to them.

Those devices belong to the carriers. Not the consumers.

The great promise and attraction of smartphones such as iPhones, Androids and BlackBerrys is that they give users the ability to customize their experience. They have their choice of a seemingly infinite variety of apps–games, communications tools, travel tools, whatever they need. They can access enormous playlists of music, do video calls and update their friends on their whereabouts with two clicks.

In many ways, these mobile devices are far more personal than the PC ever was. But in many other ways, those devices also are far less personal than PCs and hold more potential for abuse.

Consider the way that the mobile ecosystem works right now. The handset manufacturers build the devices, install the operating system and ship them off to the various customers, in this case the carriers. The mobile carriers, in turn, take the handsets and install some more software and do some customization and then sell them to the customers. Up until this point, the process is pretty much like the PC sales process.

But the differences–and there are many–come in after the sale. Once a PC is sold to a consumer, that’s usually the last interaction between the seller and the customer, aside from some repair or service. But once the consumer buys a mobile device, that’s just the beginning of the relationship between the carrier and the customer. The carrier in this scenario isn’t just the seller, it’s also the customer’s mobile Internet provider, his phone company and many other things. The carrier has the ability to control much of what the user does with his phone, whether it’s throttling data usage or dictating where they can get their apps from or forcing OS and firmware updates to prevent jailbreaks.

Users have gladly tolerated all of these “features” for years now in return for the ability to carry a hugely powerful computer and communications device with them everywhere they go. But, as we’re all quickly discovering, it turns out that there was more to the bargain.

Let’s use Carrier IQ as a case in point, and let’s give them every benefit of the doubt and assume that their software does exactly what they say, and nothing else. No call logging, no text logging, no URL recording, none of that. It’s just simple diagnostics and QoS information. Even if that’s all the software is doing right now, it’s also creating a trove of information on each user’s interactions with the device and sending it off to the carrier. That data would be quite valuable in some cases to attackers–or even advertisers–who might like to know what Web pages a person is visiting, where he’s located at a given moment or who he’s texting.

The potential for abuse is there, not just by Carrier IQ or the user’s specific carrier, but also by attackers or malicious apps that could potentially access that data on the phone or in transit.

But there’s another equally worrying aspect to this situation, and that’s the fact that consumers not only were given no choice to opt out of the data collection, but also had no idea that the Carrier IQ software was on their devices in the first place. Without that information and that choice to opt out, users have no alternative to simply allowing their data to be sent off to their carriers. As researcher Dan Rosenberg pointed out in his detailed analysis of Carrier IQ’s functionality, the responsibility for informing consumers about the software and giving them the chance to opt out falls on the carriers themselves, not on Carrier IQ.

Whether that will ever happen remains an open question. But this whole episode has made it clearer than ever that consumers should have no illusions about who owns the devices they carry around, and in some cases, the data they generate. It’s the carriers, not the users.

We’re the product, not the buyer.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.