The Inquisition

Oy vey! According to a report from Reuters (via Phonescoop), U.S. Sen. Charles Schumer, D-N.Y., has called for the Federal Trade Commission to investigate "reports that applications on the Apple Inc and Google Inc mobile systems steal private photos and contacts and post them online without consent."

OK, folks. Let's see if we can't explain this again. There was a report in the New York Times that exposed a flaw in iOS that lets applications have full access to an iPhone or iPad's Camera Roll (the equivalent of the Android "Gallery") if said application has access to GPS location. It's not that apps can't have access to images, it's just that the way they're going about it here is in violation of the iOS terms of service, and Apple's fixing it, as it does with other bugs. And as we've previously told you, it has absolutely nothing to do with Android.

Google's mobile operating system treats photos taken by your phone the same way your desktop or laptop would, whether it runs Windows, Linux -- or, yes, Apple's own Mac OS. They're files, saved to wherever it is you save your files. No more, no less. And any program on your computer -- application, if you like -- has full access to these files. And, no, you didn't have to check some big flashing light that said "Hey! I have full access to your computer because you put me on it, or I was preloaded, or whatever!" And you've been perfectly cool with this for as long as you can remember.

But being a perfectly normal operating system with a perfectly normal and acceptable file system isn't good enough these days. And, so, says Sen. Schumer, in the case of iOS apps uploading contacts without explicit permission, "these uses go well beyond what a reasonable user understands himself to be consenting to when he allows an app to access data on the phone for purposes of the app's functionality."

Now, we're willing to bet that a "reasonable user" -- by the way, those "reasonable users" are folks like you and me -- actually doesn't understand a damn thing that goes on inside file system, or permissions, or Microsoft's UAC, or whatever. And that they haven't cared for the years that they've been using the computers that treat these files exactly the same way as Android does today. But we're in a different time, when it's better to have hearings than it is common sense when it comes to issues of privacy.

Apple already has taken steps to fix the unauthorized uploading of contact lists, as well as the flaw that would give apps a backdoor to the camera roll. But that hasn't stopped the inquisition.

Here's how it might go down:

Sen. Schumer: "So, let me get this straight. These applications -- I believe they're also called "apps" -- were uploading entire contact lists without permission, in violation of your terms of service?"

Apple: "Yes. We blew it. And we've put a stop to it."

Sen. Schumer: "Oh. That's good. But what about where an application that otherwise wouldn't have access to photographs taken on the iPhone could get to them by simply having access to GPS data?"

Apple: "We're fixing that, too."

Sen. Schumer: "Glad to hear it. What about you, Google? What say you?"

Google: "You're asking about bugs in iOS, senator. We're Google, not Apple. Android is not iOS."

Sen. Schumer: "So your applications can't share pictures?"

Google: "Of course they can. But they tell you that when you install them."

Sen. Schumer: "Oh. I skipped that part."

Google: "I'm sorry to hear that, senator."

Sen. Schumer: "Perhaps there should be more warning."

Google: "We also list an app's permissions in its market listing. You can read it on the Android Market on your smartphone, or from a web browser."

Sen. Schumer: "But what if a rogue app gets on my phone?"

Google: "Stay out of weird Chinese app stores. Or don't sideload applications. We have protections in place for that, too."

Sen. Schumer: "But any application can get to pictures I save, correct?"

Google: "Senator, do you have a laptop?"

Sen. Schumer: "Yes."

Google: "You do know that every program -- application -- installed on your laptop can access any file you save to your laptop, right? That's how most file systems work. Did you explicitly give it permission to do so? Because that's what you're complaining about here. It's the exact same thing. Only, Android apps tell you what they have permission to do before they ever do them."

Sen. Schumer (picks up feature phone, calls secretary): "We're going to need to schedule another inquisition -- I mean, hearing.

This sort of thing certainly isn't limited to the United States. Channel 4 News in the UK did its own hit piece this week. Its source is a single security company, targeting a single ad network, and the story contains nary a single quote from Google. Not one. 

I've only been a professional journalist for a dozen years now, but I'm pretty sure that's not how you do things. At least, it's not how you do them well.

But that didn't stop Channel 4 from showing its "findings" to the VP of the European Commission, who's already on the warpath. What these "findings" are we're not really sure, because other than showing a few code strings on air, neither Channel 4 nor its single security source says which apps are suspect. In fact, neither says the apps themselves are suspect, just that "We found that a lot of the free applications in the top 50 apps list are using advertising inside the applications, and that the permission that you grant to these applications is also granted to the advertiser."

Yes. The app that you already gave access to your phone uses in-app advertising. How, exactly, do these people think these ads work? By guessing what you're interested in?

The EU VP, Viviane Reding, is quoted as saying "This really concerns me, and this is against the law because nobody has the right to get your personal data without you agreeing to this."

We're not really sure what, exactly, Reding believes is against the law and concerns her, because, again, we don't actually see any suspect applications. (And, frankly, seeing lines of code concerns me, too, which is why I don't do code for a living.)

To borrow a line from Rene Ritchie, our smartphones are like appliances -- say, a vaccuum. I have a basic understanding of how it works, but I really don't care about RPMs or belt tension or whatever else it does to keep stuff in that little vaccuum bag where it belongs. I don't want to know. I just want it to work. Same goes for smartphones. You shouldn't have to understand or be aware of every bloody intent in every line of code that's going on behind the scenes. Don't want to know. Don't need to know.

Nobody's denying that privacy is important. Nobody's saying that security shouldn't be an issue. Both are of ever-increasing importance. And we need to be able to trust our app developers, as well as the developers operating systems that ultimately are responsible for keeping our private parts private. If our lawmakers want to keep an eye on things, that's great. But they need to at least have some basic understanding of how things work before speaking out loud. (And it certainly can be argued they have better things to be keepingi an eye on.) And this goes double for the media. For better or worse, people believe what they see on TV.

This also means education of the issues is just as important. Otherwise, we'll all be legislated back into the feature phone era, and that's not good for anyone.

Will it come to that? Probably not. But the likes of Reuters and the UK's Channel 4 -- prime outlets for proper mass media education -- aren't exactly doing anyone any favors here. Are there bad apps out there? Sure. Do bugs and loopholes happen? Absolutely. Do Google and Apple and Microsoft and RIM do their darndest to keep your info secure? You betcha. To suggest otherwise is as irresponsible as it is ridiculous.

Youtube link for mobile viewing