Tag Archives: the Daily Telegraph

The Phantom Threats We Face

This is a copy of my weekly Loose Wire Service column.

By Jeremy Wagstaff

We fear what we don’t know, even if it’s a guy in Shenzhen trying to make an honest living developing software that changes the background color of your mobile phone display.

Here’s what happened. I’ll save the lessons for the end of this piece.

A guy who prefers to go by the name Jackeey found a  niche for himself developing programs—usually called apps—for the Android cellphone operating system.

They were wallpaper applications—basically changing the background to the display.

That was until an online news site, VentureBeat, reported on July 28 that a security company, Lookout, had told a conference of security geeks that  that some downloadable applications to phones running the Android operating system would “collect a user’s browsing history, their text messages, the phone’s SIM card number and subscriber identification, voicemail phone number password” and send all this data to a website owned by someone in Shenzhen, China.

Yikes! Someone in China is listening to our conversations! Figuring out what we’re doing on our phone! Sending all this info to Shenzhen! Sound the alarum!

Word did indeed spread quickly. About 800 outlets covered the story, including mainstream publications like the Daily Telegraph and Fortune magazine: “Is your smart phone spying on you?” asked one TV station’s website.

Scary stuff.

Only it isn’t true. Firstly, VentureBeat had the story wrong: The applications in question only transmitted a portion of this data. No browsing history was transmitted, no text messages, no voicemail password.

VentureBeat corrected the story—sort of; the incorrect bits are crossed out, but there’s no big CORRECTION message across the top of the story—but the damage was done. Google suspended Jackeey’s apps. Everyone considered Jackeey evil and confirmed suspicions that a) Android was flakey on security and b) stuff from China was dodgy.

All kind of sad. Especially when you find that actually Jackeey himself is not exactly unreachable. A few keyword searches and his email address appears and, voila! he’s around to answer your questions. Very keen to, in fact, given the blogosphere has just ruined his life.

Here’s what he told me: He needed the user’s phone number and subscriber ID because people complained that when they change their phone they lose all their settings.

That’s it. That’s the only stuff that’s saved.

Needless to say he is somewhat miffed that no one tried to contact him before making the report public; nor had most of the bloggers and journalists who dissed his applications.

“I am just an Android developer,” he said. “I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.”

Now of course he could be lying through his teeth, but I see no evidence in the Lookout report or anything that has appeared subsequently that seems to suggest the developer has done anything underhand. (The developer has posted some screenshots of his app’s download page which show that they do not request permission to access text message content, nor of browsing history.)

In fact, he seemed to be doing a pretty good job: His apps had been downloaded several million times. He declined to give his name, but acknowledged that he was behind both apps provided under the name Jackeey, and under the name iceskysl@1sters.

The story sort of ends happily. After investigating them Google has reinstated the apps to their app store and will issue a statement sometime soon. It told Jackeey in an email that “Our investigation has concluded that there’s no obvious malicious code in your apps, though the implementation accesses data that it doesn’t need to.”

VentureBeat hasn’t written an apology but they have acknowledged that: “The controversy grew in part because we incorrectly reported in our initial post that the app also sent your text messages and browser history to the website.”

For his part Jackeey is redesigning his apps to take into account Google’s suggestions. He points out that to do so will require him to have users set up an account and enter a password, which some users may be reluctant to do. And the Google suggestion is not entirely secure either.

Obviously this is all very unsatisfactory, in several ways.

Firstly, the journalism was a tad sloppy. No attempt was made to contact the developer of the app for comment before publishing—how would you feel if it was your livelihood on the line?—and the correction was no real correction at all.

Secondly, the internet doesn’t have a way to propagate corrections, so all the other websites that happily picked up the story didn’t update theirs to reflect the correction.

Thirdly, Google maybe should have contacted Jackeey before suspending the apps. It would have been kinder, and, given they’ve not found anything suspicious, the right thing to do.

Fourthly, us. We don’t come out of this well. We are somehow more ready to believe a story that includes a) security issues (which we don’t understand well) and b) China, where we’re perhaps used to hearing stories that fit a certain formula. Suspicious?

And lastly, perhaps we should look a little harder at the source of these reports.  We seem very quick to attribute suspicious behavior to someone we don’t know much about, in some scary far-off place, but less to those we do closer to home: Lookout’s main business, after all, is prominently displayed on their homepage: an application to, in its words, “protect yourself from mobile viruses and malware. Stop hackers in their tracks.”

So spare a thought for Jackeey. If you do a keyword search for him, the first hit is the story “’Suspicious’ Android wallpaper app nabs user data”, and links to 863 related articles. Below—a week after the hoo-ha, and after Google has sort of put things right–are headlines like: “Jackeey Wallpaper for Android steals your personal info”, “Your Rotten App, Jackeey Wallpaper” and “Jackeey steeling [sic] info on Android devices”.

In other words, anyone who checks out Jackeey’s wares on Google will find they don’t, well, check out.

I got back in touch with Jackeey to see how he’s holding up, a week after the storm broke. I’m in some pain, he says, “because mass negative press said that I steal users’ text messages, contacts and even passwords.” People have removed his applications from their phone, and people have been blasting him by email and instant messaging, calling him “thief”, “evil person” and other epithets.

“I am afraid that it will destroy my reputation and affect my livelihood forever,” he says.

I’m not surprised. We owe to folk like Jackeey to make apps for our phones, so we should treat him a little better.

Sleazy Linkers Lose An Ally

Seems as if there’s a bit of a groundswell building against internal links, which I got all upset about a few months ago. (internal linking is where you place a link on a word like, say, Google, but instead of actually linking to Google you link to another page on your own blog about Google.) Amit from Digital Inspiration points out that

Valleywag, the Silicon Valley gossip blog that everyone hates but still reads, always practiced excessive internal linking but good sense prevailed at Gawker and they have suddenly changed that habit.

Amit also points to Shane at the Daily Telegraph, who is complaining about the same practice. Etre.com points out how brazen TechCrunch are at doing it, but points out that Mashable and Engadget continue to do so.

I find it personally annoying because I tend to drag links into PersonalBrain or elsewhere and expect a link that says ‘Flock’ to go to Flock. But it’s also dishonest, like putting an EXIT sign over a door in a shop which instead goes into another part of the shop. It’s against the principles of the net, and, frankly, tells me that something is wrong in the state of Web 2.0 if this kind of thing is considered acceptable or even good practice.

What to do? Maybe a name-and-shame list until these recalcitrants start respecting the intelligence of their readers?

A Lesson from Valleywag – Good Linking Etiquettes | India Inc.

Blogged with Flock

Tags: , , , ,

Microsoft DVDs and the Elusive Truth

What’s true and what’s not? Not that easy to ascertain these days (not that it ever was particularly easy) with blogs and all that. This piece from The Business has, as you might have read, been roundly condemned as untrue: Microsoft invents a one-play only DVD to combat Hollywood piracy :

COMPUTER software giant Microsoft has developed a cheap, disposable pre-recorded DVD disc that consumers can play only once. The discs would give Hollywood increased control over the release of new films and allow consumers the chance to watch a film at the fraction of the price of an ordinary pre-recorded DVD. More important, the discs would prevent copying and digital piracy, which is costing the film and music industry billions in lost revenues.

Despite being widely cited, it has been shot down by Scoble and others. Not only has it been called incorrect, but also a “hoax”. Not the kind of thing a publication seeking a reputation would like to hear one of its front page stories called. After all, The Business is owned by the Barclay brothers, “who have other publishing interests in The Scotsman, Scotland on Sunday, Edinburgh Evening News, The Daily Telegraph, The Sunday Telegraph and The Spectator magazine”, according to the website.

So were the doubters right, or a tad quick with their ack-ack fire? I contacted the author, business editor Tony Glover, who says the online publication “stand[s] by the story 100% and will be running a follow-up on Sunday naming sources”. As it’s only Friday we’ll have to wait, but I’m more interested in the ping-pong this story throws up, and the difficulty readers have in ascertaining the truth. Is Scoble a Microsoft source? Is the fact that a Microsoft spokesperson “concludes” the story is not true, is it not true? I’m agnostic on whether the story is true or not (a fancy way of saying I don’t really care). But I think certain basic journalistic standards apply here. Such as

  • Someone writing the story should get an official comment on the assertion, and include that comment, or non-comment in the piece. Not to do so on anything remotely controversial is a professional lapse. To do so shows you’ve at least tried to get the story confirmed.
  • People citing, picking up or linking to the story should make their source clear, in a link and a mention of the source. Not to do so leaves the writer vulnerable should the story not be true, but, more importantly, gives the reader a chance to judge for himself the veracity of the story. (It would also help, in the case of obscure publications, to include some background on the source to assist the reader in this.)
  • When a writer finds a story they believe to be untrue, they should try to contact the author for comment when publishing their ‘knock-down’ story. At the very least, they must show they have authoritative sources who contest the story’s accuracy or veracity (not the same thing) and make this clear. They might also choose careful language which allows for the possibility of gray between the black and the white — “source X said he knew of no such meeting/product/agreement”, or “company X denied the story and said on the contrary it had no plans for xxxx”. Saying something is a hoax/has no truth to it/is bogus without enclosing the comment in quotes is not only a tad extreme, it’s not good journalistic practice. Imagine if someone did it to you.

Let’s see what Mr. Glover and The Business come up with on Sunday. Maybe all this is a storm in a teacup and we’re all comparing apples and oranges. But I’m all for a bit of temperance on the part of journalists and bloggers alike when dealing with the truth or lack of truth of another person’s story. Let he who casts the first stone be dang sure his version is pristine white.

Bluetooth And The Art Of Sex

Is Bluetooth helping Brits meet each other and have sex?

Apparently, according to WIRED, which reports on a new craze called ‘toothing’ (couldn’t they have come up with something sexier?). Toothing involves using the Bluetooth feature in a cellphone — used to transfer data between one Bluetooth device and another, without wires — to send messages to another cellphone within range (across a room, say.)

What the toothers do, apparently, is to spot someone else messing with their cellphone on a train, a mall or, somewhat unromantically, in a carpark, and then send them a message using this feature (via a trick called Bluejacking, or its more criminal cousin, Bluesnarfing). They then converse via SMS, or text, hook up and have sex. It sounds a bit like the letters pages in Penthouse.

There’s even a website dedicated to toothing (intriguingly, the Google context-aware ads that appear at the top of the site seem as confused as I: They are all about teeth whitening).

Now I have to express a bit of scepticism about this, it being so close to April 1 and all that. The story says that “when a Bluetooth phone locates another, it can see the name that the device’s owner has given it. And most, though not all, toothers use names that in one way or another betray their gender.” Is that true? In my experiments with Bluejacking, if you try to ‘discover’ other devices, the only results you will get are likely to be the name of the device (Nokio 7650, or whatever). But maybe that’s not the case everywhere.

Still, there’s no denying that Bluetooth has brought a bit of romance into people’s lives. A service called Serendipity will sniff out other phones and, if their owners are using the service, look to see whether the two people are compatible based on its database, according to the Daily Telegraph.