» News » Is your smartphone spying on you?

Is your smartphone spying on you?

By Rajeev Srinivasan
April 28, 2011 20:10 IST

Rajeev Srinivasan on why consumers must be careful with their powerful mobile devices

The news last week that Apple (and later, Google) have been capturing and storing detailed information about the whereabouts of Smartphone users has raised the specter of Big Brother among users and privacy advocates. A related Wall Street Journal article on April 23 (The Really Smart Phone) laid out the startling ways in which personal data is being collected and used, mostly for benign purposes; but surely, it can be used for malign purposes as well.

Smartphones: The newest generation touch-screen devices like the iPhone from Apple, Android-based phones, Blackberries, and WebOS devices from HP, among others -- and tablets are computers. There is system software (like Windows), and 'apps' (like applications on PCs) that provide useful functions, such as weather reports, exercise monitors, maps, games, travel reservation services, and so on.

These apps are available for download from 'app stores', eg. from Apple or Google or Amazon. Typical users download dozens of them. Many are free, and others charge a relatively low price, say $1-$10 or Rs. 45-450. There are 300,000 apps in the Apple App Store, and 150,000 in Google's Android Market.

The apps make the devices extremely useful, and the hardware has many sensors, including cameras, microphones, GPS location sensors, a gyroscope, a compass, an accelerometer, proximity sensors, etc. The phone 'knows' which way you are oriented, how fast you are moving, and what you can see and hear around you.

If a hacker remotely controls your machine, they can see and hear everything that the owner is involved in. This would obviously be useful in (industrial and other) espionage, or against wayward spouses. The privacy implications, as well as potential loss of financial data, are troubling.

There are several concerns: one related to hackers, others related to unpleasant side-effects of apps. On top of this comes the issue related to platform players such as Apple and Google. Users need to treat these devices as the powerful computers that they are, and not as dumb phones. A traditional 'dumb' mobile phone is much less vulnerable as it does no more than make calls and send texts. Naturally, a land-line is even less so!

While people have understood some of the implications of the power of these devices, the fact that Apple and Google have been collecting location information is deeply troubling. The data is a log of your location, every few seconds, based on cell towers that have visibility to you. The data is transmitted to Apples and Google's servers, although they claim it is anonymous data, without a unique identifier that can identify the individual phone.

According to reports in the Wall Street Journal, Apple stores the information for up to a year in an unencrypted database that is easy enough to hack into. Thus, it is possible for a malicious user -- or government -- to track you minutely. It does not appear that this file is transmitted to Apple, but the information is there by default. Google's data is stored more obscurely and not for so long.

Google defended itself by saying that the data in Android phones is collected only if the user 'opts in'. This is true; I can vouch from personal experience on my Android phone: it did ask me if I wished to allow the collection of anonymous data even when the app (in this case the very useful Google Maps) was running. It is necessary for most map users to know where they are, and indeed that is the point of the map app, and so I had to check the option. Indeed, if you wish to use the mapping function, you pretty much have to agree to divulge your data.

The issue is that, unlike what is claimed, it appears that the data is not entirely anonymous: it can identify the particular phone. That is disturbing, as there have already been cases where stalkers in the US (including estranged husbands) used the GPS system on a woman's phone to track her down (and in some cases hurt her). And frankly, many of us would feel queasy if our movements were tracked minutely, and this is even if we are not doing anything illegal or even immoral.

The article on "The Really Smart Phone" paints a picture of mobile phone data being used to track everything from social networks to moods, to relationships -- a picture of individuals and groups in heretofore-unimagined detail, which, frankly, is a little scary: imagine what a totalitarian government can do with this!

Based on massive data mining, mobile phone data (Twitter information) has been used to predict (with 87 percent accuracy) stockmarket movements, track the viral spread of political ideas, suggest who might be most likely to fall ill, what you are likely to buy, and, with 93 percent accuracy based on your past movements, where you might be at any given time. This last is based on an actual experiment with 100,000 European mobile users.

There is a goldmine in mobile phone data, and Apple and Google, among others, are looking to find it. The most obvious application is for location-based services, as was seen in the customised ads beamed to individuals as they walked along, in the science-fiction film Minority Report. But it is also possible to forecast traffic congestion, people's moods etc. (Remarkably, they found that in the UK, the unhappiest place was Slough, surely a despondent name!)

Thus it makes total sense for Apple and Google to want to capture the data. The question is whether you as a consumer feel queasy about being, as it were, an open book.

A somewhat less fearsome issue is that of rogue apps. Apple validates every app in its store -- but they too have found compromised apps. Google does not verify Android apps themselves, and expects consumers to depend on reviews by other users, a form of crowd-sourcing. However, now Google has promised additional unspecified measures to vet them.

Though apps are useful -- indeed, users spend most of their time on apps -- they can carry viruses, or have side effects. For instance, your personal information (calendar, credit card numbers, messages, call data) may be captured. In the science-fiction horror film The Ghost in the Machine (although not in the original Arthur Koestler nonfiction book of that name) a crazed serial killer attacks people found through others' address books.

In one such episode, Google found in March that 58 malicious apps were distributed to 260,000 Android phones. They had malicious code that would reveal, among other things, the unique identifier or IMSI or the device. The IMSI helps prevent counterfeiting of phones, and the police use it to track criminals.

Google said it had remotely pulled the offending apps from Android users' devices: they were generally "corrupted versions of legitimate productsÂ… such as Super Guitar Solo, Advanced Barcode Scanner, Bubble ShootÂ…" etc, according to the WSJ. The fact the Google could remotely remove the apps is helpful. If your phone was infected, Google would have sent an automatic update to clean it up. But that is still a rather nervous-making proposition.

Another source of concern is advertisements. Many 'free' apps are ad-supported, which means there is a small ad area onscreen. If by chance your fingers slip on the touchscreen, you might end up buying random things: You may get bills for things you did not buy and may be forced to fight with your carrier for refunds. The carrier will feign innocence, suggesting that you have purchased these things -- often useless games or videos -- and technically, yes, you have, although you were entrapped.

Just as in PCs, it is becoming important for smartphone users to practice better hygiene in terms of what they load onto their systems, and also to install anti-virus apps such as Lookout, Norton or AVG. However, that is still no protection against private data being captured and stored. In fact, Google has been facing privacy issues for some time already because its StreetView mapping mechanism (inadvertently, they claim) captured private information about Wi-Fi networks.

Thus, in a demonstration of the power of intended consequences, the very power of the mobile phone that is one of its most attractive features also carries within it the potential to harm its user.

Rajeev Srinivasan
Related News: Google, Apple App Store, IMSI, GPS, AVG