July 13, 2013 By: Samantha
Looks like even we Australians haven’t been able to stay clear from the unprecedented, mass surveillance that Americans have been subjected to, as The Sydney Morning Herald (SMH) has revealed today. It may or may not come as a shock that Australia’s largest telecommunications company Telstra has had a secret pact with the US intelligence agencies for at least a decade, obliging Telstra to store mass volumes of communication data of Australians for potential investigations by the US in the future.
An agreement penned when 50.1 percent of Telstra was still owned by the Australian Federal Government, it obliged Telstra to meet the demands of the FBI and Justice Department to “provide technical or other assistance to facilitate…electronic surveillance,” while allowing for all communications involving a US point of contact to be stored in a secure storage facility located on US soil and managed and sifted through by Americans with top-level security clearance. This data includes phone calls, emails, and online messages.
This means if you’re an Australian who’s contacted anyone in the US in the last decade at least, those related phone calls, emails, and online messages are stored in some dark, dank dungeon of borderline criminality with big, shameful ‘Made in Australia’ and ‘Owned by the US’ stickers all over it. That’s not a very desirable place for your private information to be stored.
SMH has also confirmed that the agreement was still in operation “as recently as March 2011,” while Telstra has disappeared in their White House replica doghouse with the tail between the legs, refusing to comment or answer detailed questions about it.
This is a major concern for Aussies, as although the contract does not “authorise Telstra or law enforcement agencies to undertake surveillance” (SMH), the legality of the contract is very questionable, if not an “invasion of privacy and erosion of Australia’s sovereignty,” as spoken by the Greens on Friday. This is so, as there a a number of legislation such as the Telecommunications (Interception and Access) Act 1979 (Cth) and Telecommunications Act 1997 (Cth) that govern the ‘privacy of communications,’ with the former “[prohibiting] the interception of communications passing over a telecommunications system and prohibits access to stored communications (i.e. email, SMS and voice mail messages) except where authorised in specific circumstances” (Electronic Frontiers Australia).
And for Optus customers, don’t feel so safe, as our second largest telecommunications company has also declined to comment whether they have stored data for “potential surveillance by US, or Australian, authorities” (SMH). This also certainly doesn’t mean that all you folks with unmentioned companies such as Vodafone are exempt from such probings.
Let’s see how this unfolds, shall we?
“It’s How We [Dis]Connect” Telstra Advertisement
[Source: Sydney Morning Herald]
Privacy has always been a concern, and has somewhat heightened by recent revelations. And although I doubt any government would resort to using apps to ‘maintain national security,’ there are still dodgy ‘developers’ out there you need to look out for. So to help out with that, XDA Senior Member jacksparao introduced Who is Tracking.
Who is Tracking generates a list of apps that have some form of network access on your device. This means Who is Tracking will display any apps that have access to your device via Bluetooth, WiFi, GPS, and your mobile network, allowing you to spot and act on anything that just doesn’t seem right. In addition, Who is Tracking has a ‘Test Anyone Tracking You’ feature, which brings up any connected services on your device. Other nifty little features include the option to wipe your GPS history and shortcuts to enable mock GPS locations, as well as a to your security settings.
With Who is Tracking, you may be surprised with how many apps have access to your device in ways you’d never even consider. The app is still under active development by jacksparao, so we hope to see more improvements and additions in the future. It’s compatible with devices running Android version 2.2 or newer, and is free from the Play store. For more information, check out the original thread.
There’s no denying that privacy is a huge concern for a large number of mobile users across all operating systems. Short of smashing your wireless router and trading down to a 3310 that’s kept in a lead-lined box until you need to make a call, it can be incredibly difficult to keep track of where, when, and to whom your personal information is divulged.
Android applications require various permissions, which you are no doubt familiar with by now. Most require these for valid reasons. Some, however, may take advantage of a particular permission and use it to do something you might not be aware of or have expected. Apart from installing only applications that you absolutely need and trust, the best way to try and eliminate the possibility of permissions being abused is to use something like OpenPDroid to adjust these permissions on a per-app basis. The only downside to such a modification is that it can be difficult to put in place for the average user. XDA Senior Member M66B has taken a step towards making permissions management a whole lot easier with a little help from the Xposed Framework.
XPrivacy is an Xposed module that allows the user to view all the currently installed applications on their device and then adjust the individual permissions that app is able to use. Instead of simply preventing the application from collecting the data it is looking for, which can lead to force closes, XPrivacy will provide false data such as an empty contact list or spoofed location. A full list of the possible restrictions and any other information you could possibly want is available from M66B’s Github. The module is also open source, which is nice.
If privacy is a concern for you, take a look at the original thread for more information.
Android, as an operating system, is fairly unique in that it makes users aware of the permissions available to apps in a fairly transparent way. Compared to Blackberry or iOS, which issue granular prompts such as “Can Angry Birds access your location?” or “Can Instagram access your camera to take photos?” There is a somewhat subtle difference here: The rivals give the user a choice about these requests.
Jump over to Android where, after installing an app, it has free reign to use every permission you agreed to. While this doesn’t sound an issue, let’s take a look at the Play Store. Let’s look at a nice, popular app (for better or for worse): Facebook.
The Facebook app has permissions to:
Getting tired and out of breath yet? It’s not over yet though! Facebook can also:
What is perhaps most disconcerting is that while Google acknowledges openly the risks in each permission (I suggest you take a read at the detailed description of some of the permissions on a Play Store listing), the company takes no steps to help you with this. Thus, the entire Android ecosystem is built around you trusting the developer to play fair, and not do anything dodgy.
And while I might be unique in my recommendation (which I firmly believe is warranted in this day and age given recent information revealing the extent of mass surveillance that is ongoing) to trust nobody, not even yourself. For this reason, I suggest the Android permissions system is totally flawed, in relying on developers to not abuse permissions, and not request excessive permissions. How many torch apps on Android have more than the required camera permission (to enable the camera)? I’d suggest most do, feel free to take a look!
You’d think the Android community would rally against such behaviou, but it’s reached a point where it is acceptable for developers to declare a need for excessively gratuitous permissions in order to use their apps. What happened to user choice? I then was pointed towards this post on G+ by Steve Kondik (XDA Recognized Developer cyanogen), which I read with much dismay. While I do not use G+ (closed platform, requiring far too much data to be disclosed to Google), I would suggest that with respect, the need for user privacy and security MUST come first, as it’s clear app developers cannot “do” security.
Perhaps if Google introduced zero tolerance for moronic errors in security (plaintext passwords, gathering contacts data, obtaining device IDs that are not hashed suitably with a cryptographic hash etc), it might offer an incentive to consider security? Given many users (wrongly) reuse passwords between services, the sending of plaintext passwords should be sufficient, in this author’s opinion, to justify immediate removal of all of a developer’s apps from the Play Store, forever.
Some people just don’t know how to do security. And for them, I sigh. Users deserve security, and privacy, and unless you go ahead and look at the OpenPDroid project on XDA (which I strongly suggest you check out), you are pretty much being abandoned by even the leader of CyanogenMod. While I appreciate his concerns for app developers, it is simply inexcusable to not look into fixing the glaring hole that is contacts access. This is 2013, the era of social engineering, and I cannot choose selectively which apps see which contacts in my address book? REALLY?
Something needs to happen here, before people wake up and smell the coffee, and realize this isn’t sustainable. It’s time users became more aware about what apps are doing, and the extent of data mining that is ongoing. It’s your data, and it should be entirely your choice who gets it.
You shouldn’t have to avoid an app because you don’t like the look of its permissions; you should be able to (whether as stock Google feature, or custom ROM feature) be able to selectively decline to allow an app to access your data. And this should be done gracefully, either providing empty data (for contacts, or similar), or null data (i.e. requesting phone number or IMEI should return the same response as a tablet lacking these identifiers).
Is it right to deny your users the choice, to make life “easier” for app developers? (arguably to allow them to capture user data more easily) I argue it’s not, and it’s time the Android community unites to put an end to apps having free reign over YOUR data. If this concerns you, why not check out the aforementioned OpenPDroid (and similar) projects on XDA, and see if you can help out, or test, or contribute to the cause?