As the manager (and former lead engineer) of the “security intelligence” portions of our Insight product, I’m often tasked with thinking about security in different ways. A big part of that is finding weaknesses in everyday technologies that could be used to exploit and expose our customers to potential breaches, and then figure out a way to model that with Insight. As a result, I often track security in the media and emerging threats in the industry, and provide internal (as well as external now, I suppose) commentary. So, last week’s press coverage regarding privacy issues surrounding the use of a certain mobile diagnostics technology started a (small) media frenzy on the nature of mobile phones. Now, normally, I consider anything that stealthy ignores user privacy settings and stealthy sends personal information anywhere to be a Bad Thing… But, in this case it DID bring mobile security to the forefront of mass media and at least got people thinking about the topic. I guess for once a potential privacy breach actually did have at least one good side effect.
When companies insert these frameworks with little clarity provided to the end user, it is no surprise that they end up getting abused in some fashion. While we don’t know of any malicious usage of this data yet, that doesn’t mean that they’re not out there. How many times in the last year has a company sent a shaming email to you implying your identity was compromised in some fashion? How many more don’t even know they lost it yet? And, this isn’t a simple password hash. With the level of data this application logs and captures, who’s to say someone couldn’t profile your geolocation patterns and break into your home/office or check your call logs for behavior that you might not want known publicly? While these are extreme examples, global security trends show us more and more that attackers are going to great lengths to break into corporate enterprises, and it isn’t like blackmail is a new concept. I’d recommend we build security completely into the mobile platform and give our data and geolocation the same protection our voice calls have with Federal wiretapping laws. This would at least give us some manner of legal protection from the methods companies are using to ‘improve service’. What do you think? Isn’t it hard enough to secure mobile devices without these types of applications? Is this another situation where the law needs to catch up before users can be completely safe, or is there another way to secure what our phones are telling others?