Carrier User Tracking Is Back On Android Devices, After Congress Voted To Repeal FCC Privacy Rules

Recently, both the US House and Senate voted largely on partisan lines (Republicans for, Democrats against) to overturn the FCC’s new privacy rules that were supposed to protect broadband customers against internet service providers collecting their data and selling it without their consent.

Following the two votes, Verizon was emboldened to enable data-tracking on all of its on-contract Android smartphones, which is reminiscent of the tracking that created the backlash against the “CarrierIQ” tracking software six years ago. The Electronic Frontier Foundation (EFF) even went as far as to call this type of tracking “spyware.”

CarrierIQ Privacy Fiasco

On November 11, 2011, security researcher Trevor Eckhart posted on his website that Verizon, Sprint, and potentially other wireless service providers were installing the CarrierIQ user tracking software on many of their Android-running smartphones. The researcher defined the software as “rootkit” because it had low-level privileges on the smartphones while hiding its actions from users.

The rootkit was used to collect what websites users visited, search terms they typed, location of their device, and app usage data, as well as information about the usage of the carrier’s own products and about the type of demographics that were using the phones. The data was obtained without user consent.

Initially, the CarrierIQ company sent a cease and desist letter to Eckhart claiming copyright infringement for posting CarrierIQ training documents. The firm also denied the researcher's allegations that they were collecting all the keystrokes of smartphone owners. However, only two weeks later, and after the EFF got involved in the case, CarrierIQ retracted its cease and desist letter and apologized to Eckhart.

Since then, smartphone makers and carriers seemed to have stopped using CarrierIQ software specifically. The CarrierIQ company was acquired by AT&T in 2015, and the wireless company said that it only uses the technology to “improve the customer’s network and wireless service experience.”

Verizon AppFlash: What’s Old Is New Again

Although the CarrierIQ rootkit fiasco upset many smartphones users, Verizon seems to want to bring back much of the same kind of tracking to the smartphones it sells today. Verizon announced a new “AppFlash” app launcher and web search utility that will come to all new and existing subscribers that use Android smartphones.

According to Verizon’s own AppFlash privacy policy, this is the type of information that will be collected by default:

We collect information about your device and your use of the AppFlash services. This information includes your mobile number, device identifiers, device type and operating system, and information about the AppFlash features and services you use and your interactions with them. We also access information about the list of apps you have on your device.With your permission, AppFlash also collects information about your device’s precise location from your device operating system as well as contact information you store on your device.

Verizon seems to be saying that at least the location tracking will be done with your permission, although it’s not clear how exactly this will be implemented, and whether or not it will be truly opt-in for the smartphone user. Depending on Verizon’s own interpretation, it may also be able to track the location when the location on an Android device is enabled.

Verizon’s Not So Simple Opt-Out Solutions

Once the FCC privacy framework is fully overturned, it remains to be seen if the Federal Trade Commission (FTC) could still enforce its own privacy rules against Verizon. However, the FTC has historically only issued small million-dollar fines over such privacy violations, which likely don’t serve as a strong enough deterrent for companies that may stand to make a thousand times that amount (billions of dollars) by violating those rules.

The real issue here is that most of the information will be collected without consent, and if users want to stop that collection (or a large part of it), they will have to opt-out. The majority of people tend not to opt-out of any type of tracking, usually because they aren’t even aware that it’s happening in the background, but also because it can often be somewhat of a hassle to do it.

Verizon has a web page where you can opt-out of its Aol ad network tracking, but to completely stop any sort of tracking you have to visit multiple locations and follow multiple steps. The opt-outs also don’t seem to completely stop the ads that Verizon may still be injecting in your web traffic. It’s just that they won’t be based on the type of websites you visit anymore or any tracked data.

Please note that by limiting ad tracking or opting out by way of any of the choices described, you will still see ads in the same places, but those ads may be less relevant because they will no longer be based on your interests.

AppFlash - The “Flash” Of Android Devices In Terms Of Attack Exposure?

The name Verizon chose may end-up being predestined. According to the EFF, the fact that Verizon will put AppFlash on all of its Android devices could further expose users to a new attack vector. Chances are Verizon isn’t going to ensure the launcher is highly secure, considering it seems to be based on a third-party solution that’s been rebranded by Verizon.

Just like the Adobe Flash player, the Verizon AppFlash could also lure attackers into exploiting it, especially because it seems to have system permissions and it can be used to launch any other (malicious) app or website.

Now that the FCC privacy rules are close to being repealed--the resolution passed by Congress still needs the President’s signature--we may see other carriers and broadband providers launch similar user-tracking solutions for the devices they sell or rent with their services.

This could put an end to the idea that internet and voice providers can only provide their service for a fair payment that the customer is willing to offer. The providers will instead be able to make money both from subscriptions as well as from selling customers’ data to advertisers, typically without the customers’ consent.

If the net neutrality rules are repealed as well, that could further increase the wireless and broadband service providers’ leverage over both internet companies and their customers, who may see reduced choice on the devices offered by these providers. It could also allow the wireless and broadband providers to slow down the services and tools that would stop their tracking, such as VPN services and the Tor network.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Jeff Fx
    I'd hope Verizon puts themselves out of business by doing this, but most people probably won't even understand that Verizon is intruding on their privacy, enabled by corrupt politicians.
    Reply
  • esco_sid
    Android might have more options or whatever but i Stick to Apple as carriers cant really put anything on the phones and they are generally more secure due to the closed ecosystem.
    Reply
  • falchard
    I don't think it will really matter. Just don't get Verizon or ATT if you are worried about security. For end-users with poor technical ability it will help technicians and law enforcement if the device is stolen.
    Verizon is deeply embedded into the US internet infrastructure. Outside of its mobile network, it also owns one of the largest internet exchange points.
    Reply
  • shrapnel_indie
    Everybody does realize these rules have never been implemented, right? (Adopted, yes, Implemented, no.) It does leave a status-quo point though as these things could still be going on right up to the point the rules were actively enforced...

    Encourage your D.C. Representatives to re-enact them, or something even better for the consumer and individual if you are unhappy about this. Just don't cry foul and whine about it. If enough demand it, they'll do it if they wish to be re-elected.
    Reply
  • Martell1977
    I ditched verizon shortly after they sold off FIOS to frontier and my service went to crap. Everyone I know that had FIOS and VZW have now moved away from both as they were disgusted with how they screwed their customers on the FIOS side and the people wanted nothing more to do with them. (Yes, I'm still ticked off about the FIOS fiasco)

    AT&T has been pretty good so far, but if they follow suit with the tracking garbage, I will have to start shopping for a carrier with common sense.

    As for Apple products...the carrier can add apps to any device on their network, Apple phones are no different, other than it's easier on Android phones as much of the software is already there.
    Reply
  • esco_sid
    19501131 said:
    Everybody does realize these rules have never been implemented, right? (Adopted, yes, Implemented, no.) It does leave a status-quo point though as these things could still be going on right up to the point the rules were actively enforced...

    Encourage your D.C. Representatives to re-enact them, or something even better for the consumer and individual if you are unhappy about this. Just don't cry foul and whine about it. If enough demand it, they'll do it if they wish to be re-elected.
    Unfortunately their more likely to do what their donors demand not the people if they outspend the next guy 5x more their pretty much going to get re-elected.
    19501203 said:
    As for Apple products...the carrier can add apps to any device on their network, Apple phones are no different, other than it's easier on Android phones as much of the software is already there.
    No actually apple does not allow any software to be installed from the carrier they cant even block iphone updates to ios as they can on android.
    Reply
  • brenro12
    Is anyone really naive enough to think this ends with Verizon Android phones? I can get by without a smartphone. If enough other people feel that way see how fast that legislation gets changed.
    Reply
  • shrapnel_indie
    19501558 said:
    Is anyone really naive enough to think this ends with Verizon Android phones? I can get by without a smartphone. If enough other people feel that way see how fast that legislation gets changed.

    ONLY if they know why the mass exodus away from smart phones.... too bad too many people are so attached to theirs to move away from smart phones and tablets to make it an effective tactic
    Reply
  • schwatzz
    Good to know that Republicans are looking out for us.
    Reply
  • velocityg4
    Does anyone else find it ironic that Tom's is aware this is an issue. They alert us to measures we can take. Yet they don't support https.

    Not to mention they still serve up click bait ads and autoplay video ads. Yeah, Yeah I know about adblockers and use them most of the time. So I don't need to hear from someone about using an adblocker. That isn't the issue. The issue is they should better vet their advertisers. Then maybe we wouldn't have to use ad blockers. I could understand some crafts blog not doing a good job of this. But this is a tech site. Supposedly full of IT pros.
    Reply