Verizon broke its silence today on what many believed would be a controversial rollout of an app made by Evie Labs called AppFlash, that had been identified by privacy advocates as spyware. The wireless carrier and broadband ISP defended itself Friday saying its critics were flat-out wrong.
Verizon said in a statement:
“As we said earlier this week, we are testing AppFlash to make app discovery better for consumers. The test is on a single phone – LG K20 V – and you have to opt-in to use the app. Or, you can easily disable the app. Nobody is required to use it. Verizon is committed to your privacy.”
The move forced the Electronic Frontier Foundation to retract a highly critical blog post about Verizon that slammed it for taking advantage of a likely rollback of consumer ISP privacy protections.
The civil liberties group argued in the post, titled The First Horseman of the Privacy Apocalypse Has Already Arrived, that in the wake of the likely repeal of ISP privacy rules, Verizon was preparing to install “spyware” en mass on Verizon customers’ Android phones. That was a false claim, according to Verizon.
On Friday, the EFF walked back its criticism of Verizon after it released a statement clarifying the scope of the AppFlash installs and making it clear that the application would require users to opt-in before using the service.
It’s unclear if Verizon had backed off rolling out AppFlash to a wider selection of its phones and changed its opt-in policy when faced with a public outcry. When Threatpost asked, Verizon stated: “The team isn’t able to provide answers at this time.”
The confusion over how privacy rules impact Verizon consumers is reflective of the contentious climate between privacy advocates and ISPs in the wake of an expected rollback of privacy rules.
The EFF and many other privacy advocates have expressed deep concerns over consumer privacy in the wake of a vote Tuesday, by the U.S. House of Representatives, to overturn privacy rules that would have banned internet service providers such as Verizon from tracking broadband and mobile users’ online activities and reselling the data without consumers first opting-in.
Concerning the EFF was a description of AppFlash’s data collection practices outlined in its privacy policy. Evie Labs said it would collect device information and identify apps running on consumer devices. The EFF had argued that doing so would “increase attack surface” of consumer data collected by third parties working with Verizon.
“You can bet that with Verizon rolling this app out to such a large number of devices, hackers will be probing it for vulnerabilities, to see if they can use it as a backdoor they can break into,” the EFF wrote.
Mobile security experts agree that apps that collect data do increase the attack surface.
“Our bigger concern is once this data is freely sold and traded, it is possible for bad actors to acquire this data and perpetrate personalized phishing attacks,” said Allan Zhang, co-founder and CEO of cybersecurity company Trustlook. He added, because apps such as AppFlash collect personal data legally and malware detectors don’t identify them, consumers will likely be oblivious to how their personal information is being collected and used.
Verizon said it is working with Evie to roll out a Verizon-branded version of AppFlash later this year. The app, similar to Google Now, uses a universal search bar allowing users to quickly find apps and web content. AppFlash also uses virtualization technology to allow someone to try recommended apps before buying and downloading them.
According to Evie’s AppFlash privacy policy:
“(AppFlash) collects information about your device and your use of the AppFlash services. This information includes your mobile number, device identifiers, device type and operating system, and information about the AppFlash features and services you use and your interactions with them. We also access information about the list of apps you have on your device.”
Information collected by Evie is also shared with Verizon and AOL for tailoring ads to specific users via AppFlash and other places, including non-Verizon sites, services and devices.
In an interview with Threatpost on Wednesday, Peter Eckersley, chief computer scientist at the EFF, said consumers and advocacy groups need to remain vigilant when it comes to Verizon and other mobile ISPs.
He pointed to pressure on Verizon to allow customers to opt-out of UIDH so-called supercookies in 2015 and the controversy around the use of Carrier IQ’s software in 2011. “Once the privacy rules are nullified, ISPs will be unshackled to collect whatever type of data they want,” Eckersley said.
That’s where consumer choice and outrage can be the tools to win back privacy, he said.
