Preventing Another Carrier IQ: Introducing the Mobile Device Privacy Act

← Back to Stories (view on slashdot.org)

Preventing Another Carrier IQ: Introducing the Mobile Device Privacy Act

Posted by Soulskill on Friday September 14, 2012 @07:50AM from the stop-with-the-tracking-and-suchforth dept.

MrSeb writes "Lawmakers in Washington have turned their sights on mobile device tracking, proposing legislation aimed at making it much harder for companies to track you without consent. The Mobile Device Privacy Act (PDF) makes it illegal for companies to monitor device users without their expressed consent. The bill was introduced Thursday by Massachusetts Democrat Representative Edward Markey, co-Chair of the Bi-Partisan Congressional Privacy Caucus. Much of the impetus for the bill came from last year's Carrier IQ debacle, where it emerged that the company's software was found to exist on both iOS and Android devices on AT&T and Sprint's networks. While the company denied any wrongdoing, the software captured keystrokes and sent the details of your device usage back to the carriers. If passed, the legislation would require the disclosure of including tracking software at the time of the purchase of the phone, or during ownership if a software update or app would add such software to the device, and the consumer gains the right to refuse to be tracked. This disclosure must include what types of information is collected, who it is transmitted to, and how it will be used."

11 of 60 comments (clear)

Min score:

Reason:

Sort:

Laws don't matter by Anonymous Coward · 2012-09-14 07:53 · Score: 3, Insightful

They'll just put the required consent in the Terms of Service. Problem solved.
1. Re:Laws don't matter by icebike · 2012-09-14 08:43 · Score: 3, Insightful
  
  Exactly.
  Go read the bill folks. All it does is mandate DISCLOSURE
  It doesn't mean that you get to disapprove of the monitoring software and still get to to keep the device or maintain service to the device. Where have you ever seen the ability to selectively accept or decline the boilerplate provisions of your contract? Check this box saying you agree to all the terms here in or we can terminate your contract and require you pay your Early Termination Fee.
  The biggest hole is with manufacturer installed monitoring software. Its not at all clear that disclosure would be required if it was on the device at the point of manufacture as opposed to being added later (2a3).
  Further the Exemptions clause (2d) is so broad the you could drive a truck thru it. No disclosure necessary if there was a "reasonable expectation" that monitoring software might exist on the device. What precisely is Reasonable? Some mumbo-jumbo about service quality management buried in the fine print?
  Its a good start, it just needs to be tougher.
  Simply prohibit carrier or manufacturer installation of such software outright.
  Make it an after market package you can sign up for if you have problems and uninstall after the fact.
  
  --
  Sig Battery depleted. Reverting to safe mode.
Re:Carrier IQ by tlhIngan · 2012-09-14 08:08 · Score: 3, Informative

I have an iPhone 3GS on AT&T. How do I check if Carrier IQ is on it? Did that program show up "randomly" or only on new phones after a certain date?
Carrier IQ exists on several levels. For Android, it went particularly deep, enough to be able to capture the key codes (whe you typed). For iOS, it couldn't go as deep, so it was used mostly for its ability to collect diagnostic data ("send diagnostic information to Apple").
I believe it came in around iOS 4 or so, but 5 I think eviscerated it as Apple implemented it themselves. If not, the sure way is to just disable sending diagnostic information to Apple.
My EULA by puddingebola · 2012-09-14 08:09 · Score: 3

I just noticed in my EULA that I have renounced my citizenship and rights as a US citizen.
Bought and paid for by k0nane · 2012-09-14 08:11 · Score: 2

As much as I - as one of the Android world's major fighters of CIQ - and the rest of /. may like this, we all know it's not going anywhere. Regulatory capture, anyone?
Hypocracy by mewsenews · 2012-09-14 08:12 · Score: 3, Insightful

I love how the government is trumpeting the fact that they're doing this, because they're all upset that THEY should be the only ones allowed to track people.
need a technical solution, too by Anonymous Coward · 2012-09-14 08:12 · Score: 3, Interesting

A legal solution is fine, but it isn't sufficient by itself. It's like trying to legalize that I don't receive spam. Well, the law can't really do that (it's tried). I can only do that myself, by being careful with who I give my email to.
So this seems like the same idea. Such a law doesn't hurt, but it isn't enough, by itself. What's needed is a technical infrastructure where the people who buy mobile products fully control them, from the hardware on up, rather than some phone carrier controlling them. Then I can blow away whatever crapware comes with the device by installing my own operating system and only running software I trust.
As long as the device is secured against the people who buy them, there can be no trust that we have any privacy.
If they wanted to pass a better law, they'd have passed one like that: carriers cannot secure phones against who buys the phones.
Carriers shouldn't sell phones by hobarrera · 2012-09-14 08:15 · Score: 4, Insightful

I've said it once, and I'll say it again: carriers have no busyness selling mobile phones, they need to be separate things, to avoid vendor-lock in, and plenty of other issues.
I'm still surprised how many people in the US seem to buy their phones from their carriers really. Phones need to be sold in closed boxes on default factory settings, and sold by phone-selling companies. Otherwise, there's a severe conflict of interests.
Imagine if PCs were sold by ISPs, and TVs by cable-companies!
disclosure by sl4shd0rk · 2012-09-14 08:35 · Score: 3, Interesting

Disclosure is pointless. Firstly, it doesn't prevent the carrier from installing spyware on your device. Secondly, it's often worded in a way which leaves the customer clueless:
"..In agreeing to these terms, you authorize Sprint to collect the necessary data needed to improve and maintain equipment, networks, and customer service. At no time will Sprint share this information with unaffiliated third-parties, or individuals"
People just "meh" at shit like this and click through it. The lawyers know it too. I say, If you're going to raise hell about CarrierIQ, make a policy that requires the individual to Opt-in.

--
Join the Slashcott! Feb 10 thru Feb 17!
Re:And on the 237th page of the EULA... by icebike · 2012-09-14 08:51 · Score: 2

Android is already pretty good at this, by giving users a pretty detailed list of what information an app has access to at the time the app is installed
Well, not really all that good.
Its there, but does your mom understand it?
Why should merely mentioning that the Game you just installed has access to your address book be enough?
Android needs, (and there is some movement towards this) a much finer grain control, where an app will be subject to a permissions module
that the user can control to deny access to specific things at the OS level. If said games stop working because the users deny access to
contacts or emails, thats fine. At least we know where we stand and what kind of ratbastards we are dealing with.

--
Sig Battery depleted. Reverting to safe mode.
Re:Screw Disclosure by geminidomino · 2012-09-14 12:36 · Score: 2

Five will get you ten that your "right to refuse it" is the exact same "right to refuse" that you've had since the shitstorm started: don't buy the phone. Otherwise, consent is implied.
These are cell phone carriers we're talking about. There's nothing too scummy for them.