×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Preventing Another Carrier IQ: Introducing the Mobile Device Privacy Act

Soulskill posted about a year and a half ago | from the stop-with-the-tracking-and-suchforth dept.

Privacy 60

MrSeb writes "Lawmakers in Washington have turned their sights on mobile device tracking, proposing legislation aimed at making it much harder for companies to track you without consent. The Mobile Device Privacy Act (PDF) makes it illegal for companies to monitor device users without their expressed consent. The bill was introduced Thursday by Massachusetts Democrat Representative Edward Markey, co-Chair of the Bi-Partisan Congressional Privacy Caucus. Much of the impetus for the bill came from last year's Carrier IQ debacle, where it emerged that the company's software was found to exist on both iOS and Android devices on AT&T and Sprint's networks. While the company denied any wrongdoing, the software captured keystrokes and sent the details of your device usage back to the carriers. If passed, the legislation would require the disclosure of including tracking software at the time of the purchase of the phone, or during ownership if a software update or app would add such software to the device, and the consumer gains the right to refuse to be tracked. This disclosure must include what types of information is collected, who it is transmitted to, and how it will be used."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

60 comments

First Protest (-1)

Anonymous Coward | about a year and a half ago | (#41339011)

Banned from posting on Slashdot.

-- Ethanol-fueled

Carrier IQ (1)

TaoPhoenix (980487) | about a year and a half ago | (#41339019)

I have an iPhone 3GS on AT&T. How do I check if Carrier IQ is on it? Did that program show up "randomly" or only on new phones after a certain date?

Re:Carrier IQ (3, Informative)

tlhIngan (30335) | about a year and a half ago | (#41339187)

I have an iPhone 3GS on AT&T. How do I check if Carrier IQ is on it? Did that program show up "randomly" or only on new phones after a certain date?

Carrier IQ exists on several levels. For Android, it went particularly deep, enough to be able to capture the key codes (whe you typed). For iOS, it couldn't go as deep, so it was used mostly for its ability to collect diagnostic data ("send diagnostic information to Apple").

I believe it came in around iOS 4 or so, but 5 I think eviscerated it as Apple implemented it themselves. If not, the sure way is to just disable sending diagnostic information to Apple.

Re:Carrier IQ (1)

DJRumpy (1345787) | about a year and a half ago | (#41339357)

It was disabled by default on iOS. In order to enable it you had to go into your debugging settings (General - About - Diagnostic and Usage Data), and turn it on. You also had to allow to upload the data to Apple. Unless both of those were on, it wasn't able to do anything.

It was removed completely in iOS 5 meaning you can't even turn it on (the option is grayed out).

that's still there in iOS 5.1.1 (0)

Anonymous Coward | about a year and a half ago | (#41341885)

At least it is on my phone.

And it's on on my phone, you are asked about it when you configure the phone first time.

This is not Carrier IQ. It is not installed by the carrier at all, it's from Apple.

Of course, if you are just worried about usage data in general and not just Carrier IQ, then be sure to turn it off.

Don't worry about it (1)

SuperKendall (25149) | about a year and a half ago | (#41339367)

On the iPhone CarrierIQ did not do [arstechnica.com] most of the stuff the Android version did - no key logging for example.

Apple got rid of CarrierIQ with iOS5 updates anyway.

there was never Carrier IQ on iOS (0)

Anonymous Coward | about a year and a half ago | (#41339459)

Despite what the article says.

Apple does not allow carriers to install software on their phones period.

They can offer apps, but those apps are no different (in capability) than anyone else's apps. And they cannot hide on there.

Been watching too much Fox? (-1)

Anonymous Coward | about a year and a half ago | (#41339021)

"Democrat" representative?

Re:Been watching too much Fox? (1)

Antipater (2053064) | about a year and a half ago | (#41339229)

"Representative" in that context is a title, like "Sir" or "Lord". It's part of the proper name; the grammar was fine (in that sentence, anyway).

Laws don't matter (3, Insightful)

Anonymous Coward | about a year and a half ago | (#41339033)

They'll just put the required consent in the Terms of Service. Problem solved.

Re:Laws don't matter (3, Insightful)

icebike (68054) | about a year and a half ago | (#41339581)

Exactly.

Go read the bill folks. All it does is mandate DISCLOSURE

It doesn't mean that you get to disapprove of the monitoring software and still get to to keep the device or maintain service to the device. Where have you ever seen the ability to selectively accept or decline the boilerplate provisions of your contract? Check this box saying you agree to all the terms here in or we can terminate your contract and require you pay your Early Termination Fee.

The biggest hole is with manufacturer installed monitoring software. Its not at all clear that disclosure would be required if it was on the device at the point of manufacture as opposed to being added later (2a3).

Further the Exemptions clause (2d) is so broad the you could drive a truck thru it. No disclosure necessary if there was a "reasonable expectation" that monitoring software might exist on the device. What precisely is Reasonable? Some mumbo-jumbo about service quality management buried in the fine print?

Its a good start, it just needs to be tougher.
Simply prohibit carrier or manufacturer installation of such software outright.
Make it an after market package you can sign up for if you have problems and uninstall after the fact.

Screw Disclosure (0)

Anonymous Coward | about a year and a half ago | (#41339045)

How about the ability to opt out instead? Telling me about it is a start, but it does not get rid of the problem.

Re:Screw Disclosure (0)

Anonymous Coward | about a year and a half ago | (#41339307)

it's not "instead", it already includes that, you didn't even have to read the FA - the F summary had it.
  just to help you not need to scroll up, since you are way to lazy and incapable, I'll quote it for you

If passed, the legislation would require the disclosure of including tracking software at the time of the purchase of the phone, or during ownership if a software update or app would add such software to the device, and the consumer gains the right to refuse to be tracked. This disclosure must include what types of information is collected, who it is transmitted to, and how it will be used.

so they have to tell what is collected, who it is going to, how they will use it, AND gives you the right to refuse it.
Seems pretty good to me.

Re:Screw Disclosure (2)

geminidomino (614729) | about a year and a half ago | (#41342291)

Five will get you ten that your "right to refuse it" is the exact same "right to refuse" that you've had since the shitstorm started: don't buy the phone. Otherwise, consent is implied.

These are cell phone carriers we're talking about. There's nothing too scummy for them.

How about having to OPT IN 1st?Re:Screw Disclosure (1)

D4C5CE (578304) | about a year and a half ago | (#41344495)

Sectoral data protection laws that take ages to be adopted always after the sad fact while Hydra grows another 7 heads... are part of the problem, not the solution.

Make "thou shalt not snoop" the law of the land, with narrow exceptions that require prior consent (for cases other than self-defense), imposing jailtime and fines on all who infringe upon anyone's privacy.

Ha Ha HA!!!!! (0)

Anonymous Coward | about a year and a half ago | (#41339073)

Come on - it's an election year. Of course they are going to propose
anything for a re-election/election.

Is anybody stupid enough to belive anything like this will pass?

Oh - wait, this is the /. community, sorry.

Re:Ha Ha HA!!!!! (1)

sarysa (1089739) | about a year and a half ago | (#41339621)

Oh, it'll pass, but disclosure will be buried in a EULA or thick contract, and you won't be prompted if you want to remove it. You'll have to ask with forward knowledge that the software exists. At least, that's what the wording of the summary suggests. (maybe I should RTFA...)

And on the 237th page of the EULA... (1)

mcelrath (8027) | about a year and a half ago | (#41339111)

All this will due is put some disclosure into EULA's, certainly buried way toward the back in small print, because everyone knows that users read EULA's before giving their consent, right? But the cat is out of the bag, and this won't cause vendors to stop trying to collect or sell your data. Android is already pretty good at this, by giving users a pretty detailed list of what information an app has access to at the time the app is installed. I've been alarmed at the number of apps that want permission to access information that they really don't need. I've also been alarmed at apps that want your Facebook login. I won't use apps like that, but I think I'm unique among users. Maybe I missed it, but I have not seen any kind of widespread user revolt against this kind of thing, just articles here and there vaguely implying misbehavior (like CarrierIQ). I haven't seen any comments on in the Android app store saying "you don't need that permission". The users don't care, so we're going to be railroaded out of the info no matter what we do, because someone else finds it profitable.

Re:And on the 237th page of the EULA... (1)

gstoddart (321705) | about a year and a half ago | (#41339297)

All this will due is put some disclosure into EULA's, certainly buried way toward the back in small print, because everyone knows that users read EULA's before giving their consent, right?

And, the EULA will say that laws, class action suits, and any form of redress for anything they do is hereby absolved by your using the device.

Re:And on the 237th page of the EULA... (0)

Anonymous Coward | about a year and a half ago | (#41339325)

The users don't care

You have identified the root cause of the entire spectrum of privacy-violation problems in modern life.

There is no durable, robust, long-term solution except to fix the fact that users don't care.

Don't let them set the terms. (0)

Anonymous Coward | about a year and a half ago | (#41339443)

I think I'm unique among users.

Unqiue? Heh, and I've been called egotistical. Better to refer to yourself as a distinct minority.

Those permissions aren't always a Hobson's Choice [wikipedia.org]. Root your device, install CyanogenMod 7.1 or later, and issue line-item veto on those apps' egregious permissions (ha! no "Read Phone State and Identity" for you!). Some apps deal well with being neutered, others crash. I view it as at least giving the app a chance to work; I would never have installed it if I were forced to accept those permissions, so no great loss if it won't work with revoked permissions.

If you're really paranoid, like I am, you'll also block network access for apps that don't require it, via DroidWall.

Re:Don't let them set the terms. (1)

mcelrath (8027) | about a year and a half ago | (#41339821)

Are you telling me that CM will let you install apps that need e.g. "phone state and identity" but will feed them false information?

If so, I'm definitely switching to CM.

Re:Don't let them set the terms. (0)

Anonymous Coward | about a year and a half ago | (#41341275)

Are you telling me that CM will let you install apps that need e.g. "phone state and identity" but will feed them false information?

Not quite, though mock/invalid data would be a nice feature.

Rather, CM 7.2 allows you to revoke permissions listed in the app. So, when the app goes to access whatever permission you have revoked, it finds that the OS will block the attempt. The effect yanks the rug out from under the app, because the net effect is essentially the same as the dev forgetting to add the security permission to the app's list. Some apps tolerate this well, others force close immediately.

For example, I installed Shazam and revoked the "Read Phone State and Identity" permission before launching the app for the first time. So, there was no way Shazam could read my phone state/identity, leaving my privacy intact. However, no dice: the app force closes immediately with that permission revoked, so I uninstalled it. Many apps are okay with this kind of thing, though, so YMMV.

PS. CyanogenMod is in somewhat of a metastable state: it seems they rebased to Google's Ice Cream Sandwich release for CM 9 and lost most of the cool custom features. Thus, app permission management is *only* available in the Gingerbread-derived CM 7.2 release. No worries: the GB release has a lot of nice polish. Screenshots of thr UI for the feature can currently be found here. [cyanogenmod.com]

Re:Don't let them set the terms. (1)

geminidomino (614729) | about a year and a half ago | (#41342309)

Fuck that. Don't even play THAT nice.

CyanogenMod balked at it because they didn't want to piss off the developers (boo fucking hoo), but PDroid [google.com] solves the "neutered apps crash" problem by feeding it bogus data.

Re:And on the 237th page of the EULA... (1)

Baloroth (2370816) | about a year and a half ago | (#41339587)

From the proposed bill:

(1) The disclosures shall be made in a clear andconspicuous manner, to be determined by the Federal Trade Commission.

(2) The disclosures shall be displayed in a clear and conspicuous manner on the website of a person required to make such disclosures, except that if such person does not maintain a website, such person shall file such disclosures with the appropriate Commission.

So probably not in a EULA, although it would be up to the FTC to make the appropriate regulation. In any case, they also have to report it to the FTC, and on their website, so people will be able to know about it, which is a significant improvement over the current situation.

Re:And on the 237th page of the EULA... (2)

icebike (68054) | about a year and a half ago | (#41339679)

Android is already pretty good at this, by giving users a pretty detailed list of what information an app has access to at the time the app is installed

Well, not really all that good.
Its there, but does your mom understand it?

Why should merely mentioning that the Game you just installed has access to your address book be enough?

Android needs, (and there is some movement towards this) a much finer grain control, where an app will be subject to a permissions module
that the user can control to deny access to specific things at the OS level. If said games stop working because the users deny access to
contacts or emails, thats fine. At least we know where we stand and what kind of ratbastards we are dealing with.

Let me guess... (0)

Anonymous Coward | about a year and a half ago | (#41339161)

I haven't read the bill, but I can confidently state:
* it will create regulations that provide an appearance of privacy but not an actual "expectation of privacy"
* it will not restrict any law enforcement investigations' abilities to spy without warrants or other oversight
Thus pacifying the people who started to get riled before they can move for real change.

Likely, but not certain:
* it will actually expand law enforcement powers by making explicit what they've claimed implicitly, preventing any court but SCOTUS from slapping them down.
* it will contain so many loopholes on "mere" commercial spying as to stop nothing.

My EULA (3)

puddingebola (2036796) | about a year and a half ago | (#41339201)

I just noticed in my EULA that I have renounced my citizenship and rights as a US citizen.

Re:My EULA (1)

Mitreya (579078) | about a year and a half ago | (#41340863)

I just noticed in my EULA that I have renounced my citizenship and rights as a US citizen.

It's fortunate that at least some rights cannot be waived though. Whether EULAs are legal or not, any clauses demanding your soul or your firstborn are invalid

Someone should write and then try to enforce EULA that renounces user's citizenship. It would be helpful for something like that to go through the court system! (assuming it gets undone, that is...)

tracking devices (0)

Anonymous Coward | about a year and a half ago | (#41339211)

stop using cell phones. they are just trackng devices. otherwise, just turn on the camera and show your penis and/or vagina to everyone!

Also, before you know it, we will all have cancer, and if you take advice from my previous sentence.. you will have genital cancer!

So if you dont want your genital(s) to fall off, you should stay clear from cell phones, aka tracking devices, aka penis and/or vagina cameras.

Bought and paid for (2)

k0nane (1132495) | about a year and a half ago | (#41339221)

As much as I - as one of the Android world's major fighters of CIQ - and the rest of /. may like this, we all know it's not going anywhere. Regulatory capture [wikipedia.org], anyone?

Hypocracy (3, Insightful)

mewsenews (251487) | about a year and a half ago | (#41339231)

I love how the government is trumpeting the fact that they're doing this, because they're all upset that THEY should be the only ones allowed to track people.

need a technical solution, too (3, Interesting)

Anonymous Coward | about a year and a half ago | (#41339233)

A legal solution is fine, but it isn't sufficient by itself. It's like trying to legalize that I don't receive spam. Well, the law can't really do that (it's tried). I can only do that myself, by being careful with who I give my email to.

So this seems like the same idea. Such a law doesn't hurt, but it isn't enough, by itself. What's needed is a technical infrastructure where the people who buy mobile products fully control them, from the hardware on up, rather than some phone carrier controlling them. Then I can blow away whatever crapware comes with the device by installing my own operating system and only running software I trust.

As long as the device is secured against the people who buy them, there can be no trust that we have any privacy.

If they wanted to pass a better law, they'd have passed one like that: carriers cannot secure phones against who buys the phones.

Re:need a technical solution, too (1)

cdrguru (88047) | about a year and a half ago | (#41339947)

How about a law that says if you cannot compile and build your own phone software you have no business having a mobile phone?

How about a similar law that says if you cannot build and install Linux from source you cannot have a computer? Proof of such ability results in a federal license which is then required to buy any computer or computer parts. And the penalty for selling such devices to anyone without a license is banishment to some tiny island without Internet access.

The only problem with that is we would run out of islands long before the problem was solved. But it would solve the malware and spam problems as well as eliminate the rare earth metals monopoly held by China. It would also solve most environmental problems.

Its Not Enough (0)

Anonymous Coward | about a year and a half ago | (#41339251)

Just having to disclose that what you track from the customer is not good enough. The ability to opt out must be mandatory.

samsung galaxy s iii ( t-mobile ) (-1)

Anonymous Coward | about a year and a half ago | (#41339257)

Seems to have carrierIQ installed on them...

Carriers shouldn't sell phones (4, Insightful)

hobarrera (2008506) | about a year and a half ago | (#41339261)

I've said it once, and I'll say it again: carriers have no busyness selling mobile phones, they need to be separate things, to avoid vendor-lock in, and plenty of other issues.
I'm still surprised how many people in the US seem to buy their phones from their carriers really. Phones need to be sold in closed boxes on default factory settings, and sold by phone-selling companies. Otherwise, there's a severe conflict of interests.
Imagine if PCs were sold by ISPs, and TVs by cable-companies!

Re:Carriers shouldn't sell phones (1)

CubicleZombie (2590497) | about a year and a half ago | (#41339413)

I'm still surprised how many people in the US seem to buy their phones from their carriers really.

Faced with the choice of a $700 phone and $50/month service, or a $99 phone and $89/month + 2-year service contract, most people will choose the subsidized option. Most, as in just about everybody. And if I bring my own phone to a provider, they're still going to charge me the higher price, so I might as well get the subsidized phone.

You're onto something about PCs from ISPs. Notice all the netbooks for sale at cell phone stores? I think that's the future business model for computers, especially with today's cheap throwaway computers. Pretty soon it will be $99 for a computer, with a $89/month 2 year service contract. And a bandwidth cap.

Re:Carriers shouldn't sell phones (1)

geminidomino (614729) | about a year and a half ago | (#41342351)

Minor nitpick: In the US, I beleive only T-mobile offers a (small) discount on the service charge if you bring your own device.

So really, you mean a $700 phone + $89/month (no contract) or $99 phone + $89/month 24-month contract, or $700 phone + $69/month service + shitty coverage...

Re:Carriers shouldn't sell phones (1)

subreality (157447) | about a year and a half ago | (#41343173)

IMO it's not just subsidies. It's also that every network in the US is using incompatible standards. Verizon and Sprint are CDMA; AT&T and T-Mobile are GSM. But if you want anything more than 2G you then get into a mess of UTMS vs LTE vs HSPA[+] vs WiMax vs CDMA2000 vs who knows what else. Even then if you have the right interface you need it to be on the correct frequency.

Making a phone that works on all the standards would be prohibitive. Deciphering all the standards to get a compatible handset is completely beyond your average consumer. The solution is for the carriers to just stock compatible phones and sell them to you.

It looks like everyone is moving toward LTE for now, so perhaps it will improve, but I'm not holding my breath.

Re:Carriers shouldn't sell phones (1)

DarwinSurvivor (1752106) | about a year and a half ago | (#41339431)

For a while Telus (landline, phone & internet company) was giving away "free computers" to people that signed up for a certain level of internet access. As far as I know it wasn't THAT popular, but I do know at least 1 person (completely non-technical user) that got the laptop offer.

Useless measure (1)

Khyber (864651) | about a year and a half ago | (#41339305)

First and Foremost needs to be the mention of such privacy-violating software in the EULA/ToS of the agreement. Screw all the other parts. Make this paramount.

Not illegal (1)

girlintraining (1395911) | about a year and a half ago | (#41339313)

I love our new Congress: Nothing is illegal, as long as its documented.

Re:Not illegal (1)

silas_moeckel (234313) | about a year and a half ago | (#41339449)

It's ok as long as they cops are doing it? We need a it's not legal to track people without a warrant for anybody. Exceptions for with consent for research or internally for network development (no sending the data over the wall to advertising).

samsung galaxy s iii ( t-mobile ) (-1)

Anonymous Coward | about a year and a half ago | (#41339323)

FYI, carrierIQ has been detected in my phone, a samsung galaxy s iii.

disclosure (3, Interesting)

sl4shd0rk (755837) | about a year and a half ago | (#41339489)

Disclosure is pointless. Firstly, it doesn't prevent the carrier from installing spyware on your device. Secondly, it's often worded in a way which leaves the customer clueless:

"..In agreeing to these terms, you authorize
Sprint to collect the necessary data needed to improve
and maintain equipment, networks, and customer service.
At no time will Sprint share this information with unaffiliated
third-parties, or individuals"

People just "meh" at shit like this and click through it. The lawyers know it too. I say, If you're going to raise hell about CarrierIQ, make a policy that requires the individual to Opt-in.

Re:disclosure (1)

joe_frisch (1366229) | about a year and a half ago | (#41341571)

It still doesn't help to have an op-in. The carriers will just require you to op-in before using any of the features of the phone. Since all carriers will have nearly identical EULAs you will be required to op-in if you want to communicate in the modern world.

Workaround (1)

1080bogus (1015303) | about a year and a half ago | (#41339677)

Carriers will merely put this into their TOS or other contacts with fine print that a lot people don't read but sign anyways. Mandate a specific title and format of the text so people actually notice it before they just agree. Better yet, mandate it a yes or no question on the agreement. It'd be no different than the customer improvement prompt you get for certain software to know how you use it.

Solution (0)

Anonymous Coward | about a year and a half ago | (#41339735)

Go Nexus and roll your own from AOSP. You've got all the source.

Not sure what this would mean.... (1)

Anonymous Coward | about a year and a half ago | (#41339771)

If the carrier can not capture keystrokes. How would it know that you want to make a phone call or what the text should say or what website to display? Sometimes I wonder about privacy freaks... Maybe I shouldn't do that.... They might pass a thought law.... Never mind...

Difference between the PHONE and the Carrier (1)

RobertLTux (260313) | about a year and a half ago | (#41341079)

this is about the carrier getting a full keystroke log from your phone

so if you typed something decided it was stupid edited it to something sane THE CARRIER WOULD GET BOTH VERSIONS

so lets say you decided to text somebody half drunk after knocking over a convenience store. you decide to NOT tell the world that you just hit %store% but decided to say something else. The Police could get the Evidence version.

A meaningless law (0)

Anonymous Coward | about a year and a half ago | (#41341655)

legislation would require the disclosure of including tracking software

Translation: By the way, you're a commodity to be sold by us to the government and other interested parties.

It's why data-tracking won't be banned completely. The sheeple just want, and get this stuff for free; admitting the hidden costs won't change their behaviour.

The code is law (0)

Anonymous Coward | about a year and a half ago | (#41342133)

And unless that code is Free as in Freedom, expect laws in the meat-space world to always afford data-miners a loophole.

https://archive.org/details/EbenMoglen-HowToRetrofitTheFirstLawOfRoboticshope92012

https://archive.org/details/TheComingCivilWarOverGeneral-purposeComputing

Wishful Thinking (0)

Anonymous Coward | about a year and a half ago | (#41343859)

Depending on how it's written, it will either be completely nullified while it's made to having workarounds created by the time it's implemented.
One, forcing waivers in a EULA acceptance/update in order to use/keep service. Two, include generalized language in those warnings that include all possibilities without giving any details. Three, many simply won't care. Four, lobbying will get changes to allow those loopholes. Four, the government will grant itself an exemption and the companies will piggyback on it.

Hobbits with furry feet...and hands. (1)

Impy the Impiuos Imp (442658) | about a year and a half ago | (#41346009)

Be careful of new laws: "No company can track you, but the government can do whatever it wants."

They're perfectly content to let you rage on about the pseudo-evil of corporations while Sauron bides his time.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...