Skip to content

Archive for May, 2011


Google takes Android spying to next level with Google Wallet

When Google launched its Android phone operating system, it gained the ability to track the movements and activities of millions of gullible people who would eventually be persuaded by “Droid Does” advertising that they needed a Google-powered smartphone.

But spying is addictive, and Google is always looking for ways to do more spying. With Google Wallet, the Monster of Mountain View intends to leverage Android to track what people are buying:

Among other things, Google Wallet will be able to store your credit card information (Google’s launch partners include MasterCard and Citi) as well as loyalty rewards, purchase points, and any saved-up Google Offers that might apply. Then, users who have Near Field Communications (NFC) enabled Android phones will be able to simply whip out their devices when shopping and tap them on electronic payment processors in order to get deals and pay for their goods.

Google is also suggesting that makers of other phones and phone systems (Microsoft, Apple, Research in Motion) could integrate Google Wallet into their own offerings.

But that’s probably just wishful thinking on Google’s part.

Still, with Android as pervasive as it is, it won’t take Google too long to deploy its new spying capabilities. The average life of a phone, even a smartphone, is pretty short. Whether Wallet becomes as ubiquitous as Android remains to be seen. MasterCard is not an exclusive Google partner; it has other irons in the fire as far as the future of payment goes. And embedding credit cards into phones may simply be too uncomfortable for many people. Hopefully, it will be.

There is no particularly good reason why credit cards should be embedded in phones. Next, Google will be signing up governments to make driver’s licenses electronic and embedded in its phones.

Where does this end?

The contents of one’s wallet do not need to be in one’s phone. There are very good reasons for keeping both separate. Foremost is privacy and security. For instance, phones are only going to become more attractive to thieves if they contain more identifying information and means of payment.

Google Wallet provides an insignificant benefit to people who might use it. Like so many other Google products, it is primarily designed to benefit Google, and not users.


Researchers: 99% of Google’s Android devices are vulnerable to password theft

Surprise, surprise…. security on Android is sod-all:

The vast majority of devices running Google’s Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant’s servers, university researchers have warned.

The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany’s University of Ulm said. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.

“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university’s Institute of Media Informatics wrote on Friday. “The short answer is: Yes, it is possible, and it is quite easy to do so.”

The researchers’ findings are pretty damning. Although Google has supposedly released a patch to address the problem, it has only been made available for newer versions of Android. 99% of the Android devices currently in use run a version that hasn’t been patched. Android users are being advised to avoid public wi-fi networks to mitigate this incredibly serious problem.

But it’s unlikely that most of the people walking around with Google spyware-laden phones and tablets have even heard about this issue, or could taken action even if they knew (Google’s deals with major mobile carriers give them control over updates to Android devices, which prevents the Monster of Mountain View from delivering all updates directly to users).

For all of its sins, Apple at least refuses to allow carriers to have any say in when and how iOS updates are delivered. That’s not to say that the proprietary business model Apple has built is a good thing, but users should be able to update software for their devices when it is available, and it should be their choice. Smartphones and tablets ought to be under the control of the people who own them, not the giant corporations that sell them.


Google’s “Chromebooks” are the very definition of Treacherous Computing

Some years ago, free software pioneer Richard Stallman penned an essay asking users, “Can You Trust Your Computer?” He wrote:

Who should your computer take its orders from? Most people think their computers should obey them, not obey someone else. With a plan they call “trusted computing”, large media corporations (including the movie companies and record companies), together with computer companies such as Microsoft and Intel, are planning to make your computer obey them instead of you. (Microsoft’s version of this scheme is called Palladium.) Proprietary programs have included malicious features before, but this plan would make it universal.

He added:

In the past, these were isolated incidents. “Trusted computing” would make the practice pervasive. “Treacherous computing” is a more appropriate name, because the plan is designed to make sure your computer will systematically disobey you. In fact, it is designed to stop your computer from functioning as a general-purpose computer. Every operation may require explicit permission.

Emphasis is LGB’s.

Google has now officially joined the league of companies engaged in what Richard justifiably calls treacherous computing schemes. The Monster of Mountain View is planning to debut a device it calls the Chromebook, which is basically a dumbed-down laptop running Google software which obeys Google instead of the user it supposedly belongs to. H-Online notes:

It is currently unclear if the Chromebooks will have a “developer” switch on them as Google’s CR-48 device did; the switch allowed users to install different operating systems or modified versions of Chrome OS on the device. Chromebooks are designed to use the TPM chips on the motherboard to perform a Verified Boot on the device and if it detects tampering, it will replace the installed operating system with a known good instance automatically; the developer switch on the CR-48 prevented that from happening.

In other words, the hardware in the “Chromebooks” has been intentionally designed to prevent hacking. (Hacking, in the traditional sense, refers to a user’s freedom to tinker, it doesn’t mean harming anybody else’s equipment or services). Somebody who buys a Chromebook is thus not free to repurpose the hardware and use it for something else, because Google has programmed the motherboard to obey Google and not the user.

Even if the “Chromebooks” do contain a “developer switch” like the CR-48 prototype did, there’s no justification for putting hardware-based digital restrictions management into a computer.

Of course, the rationale for the restrictions is simple. Google wants to be sure that people who buy “Chromebooks” use them to access Google products and services.

That way, Google can continually spy on their “customers”.

Google’s behavior here is simply more proof that it is no better than Microsoft or Apple, the leading proprietary software companies (or Electronic Arts, which has stopped selling games and now only rents them out). But unlike Apple or Microsoft, Google is using free software to advance the evil of treacherous computing. What they are doing is outrageous and immoral.

It is time for the free software movement to rise up against Google and recognize it as the greedy, freedom-undermining, privacy-destroying corporation that it is.


Google wants its software running your home appliances, not just portable gadgets

Talk about a privacy-less future

At its I/O developer conference on Tuesday, Google showed a sneak preview of its Android@Home project, which will extend the Android platform into household objects. That means some day in the future, you could control home appliances—your dishwasher, the heating system, the lights in your house—using your Android device as a remote control.

“Think of your phone as the nucleus that this all started with,” said Google engineering director Joe Britt in an interview. “We’re opening the platform up to everyone to do whatever they can imagine.”

There’s something to be said for the ability to turn on your parked car’s air conditioning before you get to it. But, practically, what’s the point of having a dishwasher or washing machine that can be wirelessly controlled? Without place settings or clothes to clean, there’s nothing for the devices to do. And the technology doesn’t yet exist for such appliances to load themselves. For that, we’d need human-like robots.

There’s obviously more potential when it comes to heating, cooling, and lighting. But controlling the utilities in a house from somewhere else in the world has serious privacy and security implications. Implications that have not been addressed, will not be easy to address, and don’t actually even make sense for Google to address. If Google took privacy seriously and didn’t capture data for its own use, it wouldn’t be able to profit. It would be moving the goalposts forward technologically, but it wouldn’t be making money. Spying is Google’s business model. It underpins search and advertising (Search/Analytics/Adsense), Gmail, Chrome and Android, and pretty much every other product it offers.

Google’s practice of collecting data and never deleting it is becoming a bigger and bigger problem that governments are not addressing. There’s been some action taken in the European Union, but almost none in the United States, where Google is based. It’s time for that to change before Google becomes any more powerful than it already is.


FSF reminds us that Google’s Gmail utilizes proprietary JavaScript

The Free Software Foundation (FSF), the leading organization working to protect the rights of Internet users and defend free software, posted a reminder for its members and supporters today about Google’s double standard when it comes to free software. Google may provide hosting for open source projects and contribute to the development of some free software, but the software that powers its own offerings is not free.

That includes the JavaScript that runs Gmail.

Because of the incredibly high percentage of Gmail-using free software supporters, we’re taking action to raise awareness about how to use Gmail without using proprietary software. We’ll also be working on longer term solutions, but the most immediate positive step to take is to stop running the proprietary programs.

Many people suggest that you shouldn’t use Gmail at all, because it means losing control over your data and privacy. We agree that this is a very important factor for you to consider when choosing how you will handle your email.

We are among those who suggest that Gmail shouldn’t be used at all due to privacy and security concerns. The fact that Gmail’s web interface is comprised of proprietary software is just another good reason not to do business with the Monster of Mountain View.


HubPages CEO: Google has a big, fat double standard

Paul Edmundson, the chief executive officer of HubPages, says a recent internal initiative to toughen Google’s search algorithm (nicknamed Panda) has punished legitimate sites with user-generated content (like the one he runs) as well as dubious content farms, while sparing Google’s own properties:

Google’s recent “Panda” update intentionally upends this ecosystem; it doesn’t just lower the rankings of individual pages that the algorithm deems “low quality” (however that may be defined by Google) but, as Google has said publicly, “low-quality [page] content [on the domain] can impact an entire domain.” This means that high-quality content hosted on open publishing platforms like HubPages and YouTube can be negatively impacted in their search rankings simply by hosting contributions of various quality on a single site.

HubPages has seen a negative impact from this change, but so far YouTube has not (Search Metrics Winners). One presumes Google isn’t treating its own affiliated sites differently than any other site, but YouTube’s open publishing environment makes low-quality content as prevalent as on any other moderated open publishing platform. Google shows over 13 million indexed videos on YouTube for lose weight (known spammy area) and over 10 million for forex (another spammy area). Apparently, Google’s Panda update has been punitive only to platforms other than Google’s.

Surprise, surprise… Google treats its own properties differently than it treats others. This has actually been going on for years, but Google is rarely taken to task for it. Most of the complaints that have been made about the practice have come from Google’s competition. As Google has entered an increasing number of markets over the years, it now has a great many competitors in many different areas.

Google’s practices wouldn’t be so detrimental if it wasn’t so close to being a monopoly. Sadly, it has become synonymous with the idea of search, even though it is hardly the best or most intuitive search engine out there, let alone privacy-aware.