Recently, both the US House and Senate voted largely on partisan lines (Republicans for, Democrats against) to overturn the FCC’s new privacy rules that were supposed to protect broadband customers against internet service providers collecting their data and selling it without their consent.
Following the two votes, Verizon was emboldened to enable data-tracking on all of its on-contract Android smartphones, which is reminiscent of the tracking that created the backlash against the “CarrierIQ” tracking software six years ago. The Electronic Frontier Foundation (EFF) even went as far as to call this type of tracking “spyware.”
CarrierIQ Privacy Fiasco
On November 11, 2011, security researcher Trevor Eckhart posted on his website that Verizon, Sprint, and potentially other wireless service providers were installing the CarrierIQ user tracking software on many of their Android-running smartphones. The researcher defined the software as “rootkit” because it had low-level privileges on the smartphones while hiding its actions from users.
The rootkit was used to collect what websites users visited, search terms they typed, location of their device, and app usage data, as well as information about the usage of the carrier’s own products and about the type of demographics that were using the phones. The data was obtained without user consent.
Initially, the CarrierIQ company sent a cease and desist letter to Eckhart claiming copyright infringement for posting CarrierIQ training documents. The firm also denied the researcher's allegations that they were collecting all the keystrokes of smartphone owners. However, only two weeks later, and after the EFF got involved in the case, CarrierIQ retracted its cease and desist letter and apologized to Eckhart.
Since then, smartphone makers and carriers seemed to have stopped using CarrierIQ software specifically. The CarrierIQ company was acquired by AT&T in 2015, and the wireless company said that it only uses the technology to “improve the customer’s network and wireless service experience.”
Verizon AppFlash: What’s Old Is New Again
Although the CarrierIQ rootkit fiasco upset many smartphones users, Verizon seems to want to bring back much of the same kind of tracking to the smartphones it sells today. Verizon announced a new “AppFlash” app launcher and web search utility that will come to all new and existing subscribers that use Android smartphones.
According to Verizon’s own AppFlash privacy policy, this is the type of information that will be collected by default:
We collect information about your device and your use of the AppFlash services. This information includes your mobile number, device identifiers, device type and operating system, and information about the AppFlash features and services you use and your interactions with them. We also access information about the list of apps you have on your device.With your permission, AppFlash also collects information about your device’s precise location from your device operating system as well as contact information you store on your device.
Verizon seems to be saying that at least the location tracking will be done with your permission, although it’s not clear how exactly this will be implemented, and whether or not it will be truly opt-in for the smartphone user. Depending on Verizon’s own interpretation, it may also be able to track the location when the location on an Android device is enabled.
Verizon’s Not So Simple Opt-Out Solutions
Once the FCC privacy framework is fully overturned, it remains to be seen if the Federal Trade Commission (FTC) could still enforce its own privacy rules against Verizon. However, the FTC has historically only issued small million-dollar fines over such privacy violations, which likely don’t serve as a strong enough deterrent for companies that may stand to make a thousand times that amount (billions of dollars) by violating those rules.
The real issue here is that most of the information will be collected without consent, and if users want to stop that collection (or a large part of it), they will have to opt-out. The majority of people tend not to opt-out of any type of tracking, usually because they aren’t even aware that it’s happening in the background, but also because it can often be somewhat of a hassle to do it.
Verizon has a web page where you can opt-out of its Aol ad network tracking, but to completely stop any sort of tracking you have to visit multiple locations and follow multiple steps. The opt-outs also don’t seem to completely stop the ads that Verizon may still be injecting in your web traffic. It’s just that they won’t be based on the type of websites you visit anymore or any tracked data.
Please note that by limiting ad tracking or opting out by way of any of the choices described, you will still see ads in the same places, but those ads may be less relevant because they will no longer be based on your interests.
AppFlash - The “Flash” Of Android Devices In Terms Of Attack Exposure?
The name Verizon chose may end-up being predestined. According to the EFF, the fact that Verizon will put AppFlash on all of its Android devices could further expose users to a new attack vector. Chances are Verizon isn’t going to ensure the launcher is highly secure, considering it seems to be based on a third-party solution that’s been rebranded by Verizon.
Just like the Adobe Flash player, the Verizon AppFlash could also lure attackers into exploiting it, especially because it seems to have system permissions and it can be used to launch any other (malicious) app or website.
Now that the FCC privacy rules are close to being repealed--the resolution passed by Congress still needs the President’s signature--we may see other carriers and broadband providers launch similar user-tracking solutions for the devices they sell or rent with their services.
This could put an end to the idea that internet and voice providers can only provide their service for a fair payment that the customer is willing to offer. The providers will instead be able to make money both from subscriptions as well as from selling customers’ data to advertisers, typically without the customers’ consent.
If the net neutrality rules are repealed as well, that could further increase the wireless and broadband service providers’ leverage over both internet companies and their customers, who may see reduced choice on the devices offered by these providers. It could also allow the wireless and broadband providers to slow down the services and tools that would stop their tracking, such as VPN services and the Tor network.
