Log in

No account? Create an account

Previous Entry | Next Entry

Is this evil?

When you buy a phone, especially a smart phone, you don't really have a lot of control over what software goes on your phone or how your phone is used.

That's a fact. It's always been that way, and it will likely continue to be that way for the foreseeable future.

Apple has taken a lot of (well-deserved, in my opinion, and I say this as an iPhone user) shit for their weird app control-freakery. No porn, no apps developed using tools other than Apple's own Xcode, no apps they find "controversial" or "offensive"...and the whole app approval progress is as opaque as Glenn Beck's sense of ethics.

So a lot of folks are turning to Google's Android phones, in the misguided and poorly-founded belief that the fact part of the Android stack is open source somehow means Google doesn't exercise just as much control over the platform. This despite the fact they have on a few occasions now refused to host apps that various telcos have asked them not to.

I'm not in the market for a new smartphone, so I've been watching the whole thing from the sidelines. But something did catch my eye recently, and it's got me thinking down a path that zaiah thinks is evil.

Last week, a security researcher released a Google app that claimed to be a preview of the new Twilight film--you know, the one about lame-ass sparkly vampires or something, written by a conservative Mormon woman who wanted a nice Christian alternative to the evil witchcraft that's woven all through the Harry Potter saga like evil anchovies on the pure pizza of God, so she wrote about stalking and violence and rape instead. Because, of course, the main theological debate facing scholars in the dawn of the 21st century is "who would Jesus rape?" But I digress.

Anyway, the app secretly contacted his server in the background and downloaded (innocuous) code. He wanted to see how easy it would be to persuade people to download an Android app that could install a rootkit, and how easy it would be to get such an app onto the Google app marketplace.

The answers turned out to be "a whole lot" and "easier than opening a bag of Cap'n Crunch, apparently.

When Google found out, they vaporized all the copies of his app from all the Android smartphones out there.

Now, Apple also has a remote-kill switch. This is part and parcel of the state of the smart phone biz. A smart phone carrier or software vendor can reach out remotely and vaporize apps or files from your phone, without you being able to do anything about it. That's the way it is.

But when Google vaporized this research app, the researcher discovered something interesting--Google also has the ability to remotely ADD an app to a user's phone without the user knowing it. Google can remotely install software on Android phones over the air.

And that opens an interesting can of worms, oh yes it does.

The courts have ruled on several occasions that a company that has the ability to do something may be compelled to do it by a court order, whereas it is far more difficult to compel a company that does not have the capability to do something to add that capability.

Take Amazon and the Kindle (please!). Amazon revealed that it can remotely nuke a book from Kindles all over the world when someone started selling bootleg copies of George Orwell's 1984, and Amazon reached out and wiped them.

Amazon then tearfully confessed that doing so had been an error in judgment and swore it would never do it again, but at this point they no longer have that option. Since they have demonstrated the ability to do it, the next time someone's intellectual property is stolen and distributed for Kindle, the rights holder may be able to get a court order to force Amazon to nuke the offending files whether Amazon wants to or not.Amazon made that bed and might not have a choice about sleeping in it.

So here's the conundrum I'm pondering. Since Google has the ability to remote install apps, what would happen if Google were forced by court order to use it? What would that do to the cell phone industry? Would people start staying away from Android in favor of other platforms without that ability? More important, would it lead to social dialog over what kind of power we should be willing to cede to the phone operators?

I'm considering writing an Android app that runs in the background and sends the GPS coordinates of the phone to a server every few minutes. I am also thinking about approaching a bunch of police departments and saying "I've written this app. I will not distribute it to anyone except law enforcement. If you get a court order to put it on someone's phone, I'll give it to you and you can compel Google to install it remotely."

Might not ever get used. But the first time it did get used, I have a feeling it'd generate quite a shitstorm. And open a conversation that I think probably needs to happen.

zaiah says that doing this would be evil. What say you, Oh Interwebs?


( 35 comments — Leave a comment )
Page 1 of 2
<<[1] [2] >>
Jul. 1st, 2010 12:04 am (UTC)
From a general philosophical perspective, I say this is no different than the 911 GPS chip they made mandatory in every phone a few years back. It is not 'evil' for a company to develop technology with the intention of providing a valuable service to the consumers; it is 'evil' for the courts/government to use it outside the bounds of the constitution. Home network cameras are not 'evil'; Panasonic is not 'evil' for providing a live stream backup server free with them so if someone robs your house when you're on vacation you can know who it was. The court system/government becomes evil when it chooses to order Panasonic to release all the footage of your house for a certain time period under penalty of the law.

From a personal perspective, I feel it is "evil" for you to knowingly do it with the intention of invading someone's constitutional right to privacy. But, since you are not an agent of the government (to the best of my knowledge), it is not an inherently "evil" act to write the software, and even attempt to distribute it on your own.
Jul. 1st, 2010 12:09 am (UTC)
I love this article. This conversation does need to happen, but if you do do this, be prepared for the backlash. But I'm insanely curious to know what kind of reception your app would get in the legal/law enforcement community. I suspect they'd be salivating all over it.

bugfish and I were talking about Apple's ability to put things on your phone (like installing an app over the air) - and I don't think they can. Android is all kinds of "great" I'm told, but I do NOT like the idea that they can install shit on your phone "on the fly". At the very least, it should take some work.
(Deleted comment)
Jul. 1st, 2010 08:12 am (UTC)
Just had to say I heart that icon.
Jul. 1st, 2010 12:22 am (UTC)
I think the GPS tracker app is brilliant. Both because it might end up saving someone's life one day and because it will, once discovered, open the very conversation that you desire.
Jul. 1st, 2010 01:29 am (UTC)
You mean you want to write Google Latitude?
Jul. 1st, 2010 01:31 am (UTC)
Heh, you beat me to it bc I spent ages trying to remember the name! (Resorted to xkcd for help, of all things!)
(no subject) - serolynne - Jul. 1st, 2010 01:40 am (UTC) - Expand
(no subject) - tacit - Jul. 1st, 2010 03:09 am (UTC) - Expand
Jul. 1st, 2010 01:30 am (UTC)
Prior art? Maybe they're using it already...
(Deleted comment)
Jul. 1st, 2010 10:06 am (UTC)
Re: Evil.
The benefit of the phone company having control over which apps get uploaded onto a phone is that the police can't do this without their assistance (and generally big companies don't bend over backwards and do everything that the police tell them to do, esp if it's illegal!) and the police need to have a warrant in order to force the phone company to cooperate, which means there are controls in place - they don't have absolute power.
In theory someone at the phone company could, but I think without a warrant in place such data would be inadmissable as evidence (probably, IANAL)

"Lastly, this is an idea for which there are insufficient safeguards. How difficult would it be to randomly install a back door to feed financial information to the writer, who may later use it for identity theft?">/i>
Again, this would hopefully be picked up by the phone co. - part of the rationale for controlling app availability is to prevent malicious code.
Re: Evil. - emanix - Jul. 1st, 2010 10:07 am (UTC) - Expand
Re: Evil. - pierceheart - Jul. 1st, 2010 01:15 pm (UTC) - Expand
Jul. 1st, 2010 02:47 am (UTC)
There is no good or evil, only wise and foolish methods toward achieving your aims. Sadly, only in hindsight will you be able to judge and learn. If you choose to act I would be interested in learning your perspective on the consequences.

On the other hand what can happen, will, given enough time. So the real question is, do you prefer to see yourself as an agent or resistor of change?
Jul. 1st, 2010 04:22 am (UTC)
I just root my Android phone, install a modified OS and skip the whole debate. :-)
Jul. 1st, 2010 04:28 am (UTC)
Unfortunately, the "make things so bad that people notice and fix things" school of anti-authoritarianism has not, so far, seemed to pan out very well. We've already got a U.S. Federal government that, for the past two Presidents, ignores the Sixth and Eighth Amendments completely. Why give them more rope with which to hang us?

In the current legal climate of the U.S., you can be darn sure that federal bodies would use such an app unethically if it started to be standard practice.

So far, Google seems (according to what I see in the news -- I have no special insight here) to fight off this sort of invasion with full legal force, much more so than many other companies (AT&T comes to mind), but why add the pressure?
Jul. 1st, 2010 06:23 pm (UTC)
Jul. 1st, 2010 05:58 am (UTC)
My feeling is that it'll happen eventually. My consideration would be if you think the dialogue it would open is more valuable than the trouble it would cause you.
Jul. 1st, 2010 07:58 am (UTC)
Sometimes the best way to control the conversation is to trigger it yourself...I would dub that the Rossim & Senator Perrin line of thinking.

However, like Rossim, etc you're in big danger of it all blowing up on you or twisting in unexpected ways. If I were to engage in this I would make the app serve several aims at once along with multiple kinds of backup, make the app into a Xanatos Gambit.* If that can be done, its worth doing...

So really the question to consider is, after you do this, what next? What happens if the conversation doesn't happen? or if there is general acceptance not hoopla? etc If you think you've got a handle on the consequences to where it isn't going to go horribly wrong, then do it.

"At its most basic, the Xanatos Gambit is about secretly manipulating someone into trying to foil your own plans. It assumes two possible outcomes by the one manipulated - success or failure, and the plan is designed in such a way that either outcome will ultimately further your goals."

Jul. 1st, 2010 08:11 am (UTC)
Great icon, I have that edition of Stranger.
Jul. 1st, 2010 11:08 am (UTC)
I say go for it on the condition that you're willing to commit yourself to being the whistleblower, even if ordered to keep it secret. Otherwise you're just surreptitiously reducing privacy.
Jul. 1st, 2010 12:26 pm (UTC)
My .02
I am writing this comment based solely on your post. I have not read any of the other commenters (yet). I do not think that this is evil at all. In fact, I think this needs to happen. Mostly because I think the tel-cos already have too much control over our privacy (and yes, we've allowed this to happen). I agree that this is a conversation that needs to happen, sooner, rather than later.

And by the way, this is just another reason why I think your blog rocks.

Oh, and on a side note, that app would probably make you rich.
Jul. 1st, 2010 02:41 pm (UTC)
I'd put a lot of money that the services do not require your assistance in writing such an app, and that it already exists. But I'm surprised that people think it is very easy to legally enforce a firm to use it.
Imagine a hypothetical dialog about whether we should equip police with the physical means to storm into someone's house. The people who are against it claim that it would lead to police breaking into people's homes all the time, based on their ethnicity and whatnot.
But it hasn't.
Same thing here -- the question is about the laws that justify the court order for such things.
This app could save lives, potentially. There's nothing evil about it, or even about the notion that a court order can be used to force a firm to install it. Evil can come only from incorrect answers to the question "Under which circumstances should such court orders be ensued?"
Jul. 1st, 2010 11:26 pm (UTC)
Ideally, I'd tend to agree with you. And, honestly, I have no problem with the notion that police are necessary to the functioning of a stable society, and that under some controlled circumstances, police can be given the authority to do things like tap your phone or follow you around.

But I also think that transparency is necessary to the healthy functioning of a stable society, and that with issues like compelling the manufacturers of electronic gizmos to control those gizmos for the purpose of law enforcement, we don't have the level of dialog or transparency we need to have.

I also really wonder if the companies that install these capabilities in their gizmos have fully thought through the legal implications. I believe Jeff Bezos is sincere when he says that Amazon will never use their ability to remotely vaporize the documents stored on a Kindle again. I just think that he hasn't considered the fact that now that the cat is out of the bag, a court can compel him to.

I've worked in companies that make tech gizmos. You'd think that there would be a legal team to offer guidance or oversight on the kinds of capabilities they install, and you'd think that they'd consider the legal implications of features like remote administration capabilities that they install. As near as I can tell, though, you'd be mistaken; it doesn't seem to happen. Which I find a little weird.

Remote delete capability is one thing, but remote install capability opens a potential can of worms I don't think people have thought much about. And, unfortunately, there are members of the government (I'm looking at you, W) who feel perfectly comfortable ordering telephone companies to engage in wide-spread, warrantless wiretapping, and companies that seem comfortable going along with that. Remove the legal balances on that sort of thing and we have a problem.
Page 1 of 2
<<[1] [2] >>
( 35 comments — Leave a comment )