The Inquisition

Oy vey! According to a report from Reuters (via Phonescoop), U.S. Sen. Charles Schumer, D-N.Y., has called for the Federal Trade Commission to investigate "reports that applications on the Apple Inc and Google Inc mobile systems steal private photos and contacts and post them online without consent."

OK, folks. Let's see if we can't explain this again. There was a report in the New York Times that exposed a flaw in iOS that lets applications have full access to an iPhone or iPad's Camera Roll (the equivalent of the Android "Gallery") if said application has access to GPS location. It's not that apps can't have access to images, it's just that the way they're going about it here is in violation of the iOS terms of service, and Apple's fixing it, as it does with other bugs. And as we've previously told you, it has absolutely nothing to do with Android.

Google's mobile operating system treats photos taken by your phone the same way your desktop or laptop would, whether it runs Windows, Linux -- or, yes, Apple's own Mac OS. They're files, saved to wherever it is you save your files. No more, no less. And any program on your computer -- application, if you like -- has full access to these files. And, no, you didn't have to check some big flashing light that said "Hey! I have full access to your computer because you put me on it, or I was preloaded, or whatever!" And you've been perfectly cool with this for as long as you can remember.

But being a perfectly normal operating system with a perfectly normal and acceptable file system isn't good enough these days. And, so, says Sen. Schumer, in the case of iOS apps uploading contacts without explicit permission, "these uses go well beyond what a reasonable user understands himself to be consenting to when he allows an app to access data on the phone for purposes of the app's functionality."

Now, we're willing to bet that a "reasonable user" -- by the way, those "reasonable users" are folks like you and me -- actually doesn't understand a damn thing that goes on inside file system, or permissions, or Microsoft's UAC, or whatever. And that they haven't cared for the years that they've been using the computers that treat these files exactly the same way as Android does today. But we're in a different time, when it's better to have hearings than it is common sense when it comes to issues of privacy.

Apple already has taken steps to fix the unauthorized uploading of contact lists, as well as the flaw that would give apps a backdoor to the camera roll. But that hasn't stopped the inquisition.

Here's how it might go down:

Sen. Schumer: "So, let me get this straight. These applications -- I believe they're also called "apps" -- were uploading entire contact lists without permission, in violation of your terms of service?"

Apple: "Yes. We blew it. And we've put a stop to it."

Sen. Schumer: "Oh. That's good. But what about where an application that otherwise wouldn't have access to photographs taken on the iPhone could get to them by simply having access to GPS data?"

Apple: "We're fixing that, too."

Sen. Schumer: "Glad to hear it. What about you, Google? What say you?"

Google: "You're asking about bugs in iOS, senator. We're Google, not Apple. Android is not iOS."

Sen. Schumer: "So your applications can't share pictures?"

Google: "Of course they can. But they tell you that when you install them."

Sen. Schumer: "Oh. I skipped that part."

Google: "I'm sorry to hear that, senator."

Sen. Schumer: "Perhaps there should be more warning."

Google: "We also list an app's permissions in its market listing. You can read it on the Android Market on your smartphone, or from a web browser."

Sen. Schumer: "But what if a rogue app gets on my phone?"

Google: "Stay out of weird Chinese app stores. Or don't sideload applications. We have protections in place for that, too."

Sen. Schumer: "But any application can get to pictures I save, correct?"

Google: "Senator, do you have a laptop?"

Sen. Schumer: "Yes."

Google: "You do know that every program -- application -- installed on your laptop can access any file you save to your laptop, right? That's how most file systems work. Did you explicitly give it permission to do so? Because that's what you're complaining about here. It's the exact same thing. Only, Android apps tell you what they have permission to do before they ever do them."

Sen. Schumer (picks up feature phone, calls secretary): "We're going to need to schedule another inquisition -- I mean, hearing.

This sort of thing certainly isn't limited to the United States. Channel 4 News in the UK did its own hit piece this week. Its source is a single security company, targeting a single ad network, and the story contains nary a single quote from Google. Not one. 

I've only been a professional journalist for a dozen years now, but I'm pretty sure that's not how you do things. At least, it's not how you do them well.

But that didn't stop Channel 4 from showing its "findings" to the VP of the European Commission, who's already on the warpath. What these "findings" are we're not really sure, because other than showing a few code strings on air, neither Channel 4 nor its single security source says which apps are suspect. In fact, neither says the apps themselves are suspect, just that "We found that a lot of the free applications in the top 50 apps list are using advertising inside the applications, and that the permission that you grant to these applications is also granted to the advertiser."

Yes. The app that you already gave access to your phone uses in-app advertising. How, exactly, do these people think these ads work? By guessing what you're interested in?

The EU VP, Viviane Reding, is quoted as saying "This really concerns me, and this is against the law because nobody has the right to get your personal data without you agreeing to this."

We're not really sure what, exactly, Reding believes is against the law and concerns her, because, again, we don't actually see any suspect applications. (And, frankly, seeing lines of code concerns me, too, which is why I don't do code for a living.)

To borrow a line from Rene Ritchie, our smartphones are like appliances -- say, a vaccuum. I have a basic understanding of how it works, but I really don't care about RPMs or belt tension or whatever else it does to keep stuff in that little vaccuum bag where it belongs. I don't want to know. I just want it to work. Same goes for smartphones. You shouldn't have to understand or be aware of every bloody intent in every line of code that's going on behind the scenes. Don't want to know. Don't need to know.

Nobody's denying that privacy is important. Nobody's saying that security shouldn't be an issue. Both are of ever-increasing importance. And we need to be able to trust our app developers, as well as the developers operating systems that ultimately are responsible for keeping our private parts private. If our lawmakers want to keep an eye on things, that's great. But they need to at least have some basic understanding of how things work before speaking out loud. (And it certainly can be argued they have better things to be keepingi an eye on.) And this goes double for the media. For better or worse, people believe what they see on TV.

This also means education of the issues is just as important. Otherwise, we'll all be legislated back into the feature phone era, and that's not good for anyone.

Will it come to that? Probably not. But the likes of Reuters and the UK's Channel 4 -- prime outlets for proper mass media education -- aren't exactly doing anyone any favors here. Are there bad apps out there? Sure. Do bugs and loopholes happen? Absolutely. Do Google and Apple and Microsoft and RIM do their darndest to keep your info secure? You betcha. To suggest otherwise is as irresponsible as it is ridiculous.

Youtube link for mobile viewing

Reader comments

Editorial: Privacy is paramount, but enough with the inquisitions already


OK Phil now you've done it! Expect to be called before a Senate committee & grilled by these busy bodies.

Of course, they lack the authority to compel a private citizen to appear before them... But it would be entertaining none the less.

I don't know, I personally think it would be awesome to speak in front of the Senate. Also more entertaining would be getting kicked out because you called all the Senators idiots and worse. Can they arrest you for contempt of senate or something? Because that would definitely be paperwork I would want to save and frame on a wall somewhere.

Your being to kind. He and all those other career politicians only follow the latest main stream media shouts. Though Schumer is an idiot and drama queen.

Personally I think it's really more you that doesn't get it... privacy for the masses is more important than you suggest. And your description of Google/Android behaving the same way my desktop does is totally inaccurate.

When I install Outlook on my desktop, it doesn't automatically get blanket permissions now and forever unless I specifically set it up to... in order to use most apps on android, or ios for that matter, I have to surrender certain privacy permissions. With most desktop programs, who gets what is typically a case by case option decided by me when I use the program. That's the part that's missing in Android.

And it's plain wrong that it functions the other way around. I personally applaud any effort to prevent corporations... or the government from infringing on my privacy... they both got to the size they are on the backs of my... and your, information, they can bloody well get rich on my terms, not theirs.

And I do agree with The Senator in that most user's have no idea the extent to which they are handing over information and tracking. Sometimes the ignorant need a someone to watch out for them, not just watch them.

Wait... what?
You think Outlook can't access any files it wants?
What do you use to sandbox it?
Because I can write up a program that will list all the contents of any file on your OS in about 30 seconds. It doesn't NEED your permission to access a specific file. Once you start it, it can go wherever it wants.
And yes, Outlook (or any other program) can do anything it wants on your OS until you delete it. Now, it WON'T go look at just any file until you tell it to do so because MS isn't a virus/malware company (really, despite what many Linux/Mac users will tell you, it isn't :)). But just because it WON'T doesn't mean it CAN'T.

Exactly. (Overlooking ACLs for the time being)...

Android, with its sandbox, weak as it may be, is already light years ahead of Windows.

A couple of tweaks to Adroid, so that you could deny apps the ability to do certain things and access certain files would put Android's security on par with the model used in SELinux.

Applications have the same rights as the user that executes them. If you execute an app, it can access any file you can. An ACL won't prevent that.

"When I install Outlook on my desktop, it doesn't automatically get blanket permissions now and forever"

You're an idiot. Stop typing and go play in the street. There's no such thing as "permissions" on your desktop computer. When you install Outlook or any other piece of software on your computer, it has access to every file on every drive connected to your computer. It also has unrestricted access to every piece of hardware inside your computer or connected externally to your computer. The only exception to this is internet access if you have a firewall turned on. In that case, you're asked one time if the software is allowed to access the web. After you say yes that one time, it has complete, unrestricted access to do everything and anything it wants to do online.

"With most desktop programs, who gets what is typically a case by case option decided by me when I use the program."

Again, you're an idiot. Alternately, you're lying. One of these two things must be true because your statement is completely false.

Schumer is a moron. This isn't his first public embarrassment but it doesn't seem to slow him down.

Then again, this is what we get when we keep reelecting for life old farts with VCRs still blinking midnight and allow them to take charge of modern technology.

"The interwebs is like a buncha big tubes, ya see ... "

He may well be a moron, don't know.

You can't expect Congressmen to be wizards in every field of endeavor.

But you do expect them to have STAFF, who have a clue, or know someone who does. This is a staff failure, making their boss look like an idiot. He may not have needed any assistance in that regard.

This one isn't nearly as bad as the elected Congressman from Georgia, D-Hank Johnson, was trying to act intelligent while grilling a Navy Admiral about Guam and its population capacity... you have got to look that one up on YouTube if you haven't seen it before.

YES! This ranks on my top 10 of all time stupid people list! A must watch for anybody here.

Oh by the way peeps...
He isn't alone. Sadly most elected representatives are like that clown. They are lucky enough not to have their gaffes caught on tape for infinity.

I found it more disturbing facebook admitted to reading text messages off of your mobile phone on ios and Android do a search on fox news website for the article. I bet my sexts grossed them out lmao!

Ok. Not to troll, but this is becoming one of my pet peeves lately with all the "sky is falling" privacy conversations we're having lately:

"facebook admitted to reading text messages off of your mobile phone"

Facebook is an inanimate object. Saying that Facebook reads your text messages is like saying that your cell phone "reads" your text messages. It certainly has access to them. It might even scan them looking for certain words (we all know already that Google has software that does that for determining which ads to show you) but this isn't the same thing as a *human being* who *works* for Facebook or Google reading your text messages.

An automated electronic system "scanning" your messages for certain words is not the same thing has having your private communication "read". Phrasing it that way just makes people start running in circles while screaming in panic and it drives me nuts.

These companies are *not* trying to violate you privacy people. Why in god's name would they? Again, nobody cares what you did last night, or wants to see you sexting your girl/boy friend. And if the Facebook app is "scanning" your SMS messages, you gave it permission to access them, so...

"But they need to at least have some basic understanding of how things work before speaking out loud."

Our elected officials have been regulating and legislating things they don't understand for as long as I can remember.

While it is true that a great number of elected officials are morons, who is the biggest moron of all, the one that despite being a certified idiot manages to get elected to office, or the people who after witnessing their stupidity on office, keep electing them time and time again...

Wake up America, purge the Kool-Aid you've been feed all this years and start dumping all the morons in office (both R and D), and start selecting smarter ones with a firm alliance to Country rather than party.

Ok, back to Android now...

^^^ +1

I had a feeling this site was populated by some intelligent humans :) My faith in humanity has now been restored 0.27%

Phil Nickinson : Carrier and OEM apologist first, lousy reporter second.

Fact is both the aforementioned classes have done plenty to earn the public's distrust, and just because Congress isn't full of it people doesn't mean they should give Apple or anyone else in the industry a pass.

Shame on you Phil.

Please show me where I said anyone should get a pass?

Read this again. I'll bold the important parts for you.

Nobody's denying that privacy is important. Nobody's saying that security shouldn't be an issue. Both are of ever-increasing importance. And we need to be able to trust our app developers, as well as the developers operating systems that ultimately are responsible for keeping our private parts private. If our lawmakers want to keep an eye on things, that's great. But they need to at least have some basic understanding of how things work before speaking out loud. (And it certainly can be argued they have better things to be keepingi an eye on.) And this goes double for the media. For better or worse, people believe what they see on TV.

Thank you for proving my point Phil. Your bias is reflected in this and most of your other postings over the last 6 months.

Your entire position is that anyone who doesn't fully understand the underlying technology should shut up. By your faulty logic, BP shouldn't be accountable for the spill in the gulf because they know oil and drilling and all the players involved pointed their fingers at one another. Congress should just shut up because they aren't oil insiders or drillers or rig operators.

Google is not my friend. Apple is not my friend. App developers are not my friend. They provide services, I choose whether or not to consume them. When their market capitalizations are greater than the most evil industries in the world, I fail to see how you can give them a pass and put the shoulder of burden on Congress.

Everything they do should be looked at with scrutiny.

His position is not that people should "shut up" but that they should take a deep breath and find out what the issue really is before they go thermonuclear panic.

He's not saying, that people who don't understand the underlying technology don't get a voice. He's saying that people who are in a position that makes them trusted and looked up to should do a little research before they release false or misleading information and not just yell "fire" in the theater because they heard someone else say it felt a little warm.

If even imaginary Google in the imaginary hearings believes apps need a permission to read your SD card when they actually don't, wouldn't that go "beyond what a reasonable user understands himself to be consenting to"?

Everyone in the comments of the other post seemed to be persuaded that only apps with a certain permission can access your photos. That is incorrect. Every single Android app can access all the files on your sd card without any permission.

He's done his job. You all are talking about how stupid he is, not about the fact that Obamacare is already 111 *Billion* over budget.

Well done Chuck, well done.

Instead of being an apologist a-hole, it could be gently explained on a technical level why this happens with SD cards. They might not understand why things are the way they are, but I'm certainly glad at least somebody's paying attention to privacy matters, accurate or not. You know, as long as people don't think they can legislate technical impossibilities after hearing the explanation (SOPA, anyone?).

As usual, the editorial staff at Android Central proves to be unflinchingly loyal. It's just too bad that this loyalty is always to the companies...

First, with the near passing of SOPA/PIPA, it's absolutely vital that congresscritters get some actual expert advice on technical issues before blithely accepting what lobbyists write up for them to pass. Likewise, they should absolutely do at least a minimum amount of fact checking before calling companies to a hearing.

Both those statements depend on the idea that our legislators are actually interested in good governance and protecting their constituents, rather than securing re-election funding/lucrative consulting jobs and getting press time.