Tag Archives: VentureBeat

The Phantom Threats We Face

This is a copy of my weekly Loose Wire Service column.

By Jeremy Wagstaff

We fear what we don’t know, even if it’s a guy in Shenzhen trying to make an honest living developing software that changes the background color of your mobile phone display.

Here’s what happened. I’ll save the lessons for the end of this piece.

A guy who prefers to go by the name Jackeey found a  niche for himself developing programs—usually called apps—for the Android cellphone operating system.

They were wallpaper applications—basically changing the background to the display.

That was until an online news site, VentureBeat, reported on July 28 that a security company, Lookout, had told a conference of security geeks that  that some downloadable applications to phones running the Android operating system would “collect a user’s browsing history, their text messages, the phone’s SIM card number and subscriber identification, voicemail phone number password” and send all this data to a website owned by someone in Shenzhen, China.

Yikes! Someone in China is listening to our conversations! Figuring out what we’re doing on our phone! Sending all this info to Shenzhen! Sound the alarum!

Word did indeed spread quickly. About 800 outlets covered the story, including mainstream publications like the Daily Telegraph and Fortune magazine: “Is your smart phone spying on you?” asked one TV station’s website.

Scary stuff.

Only it isn’t true. Firstly, VentureBeat had the story wrong: The applications in question only transmitted a portion of this data. No browsing history was transmitted, no text messages, no voicemail password.

VentureBeat corrected the story—sort of; the incorrect bits are crossed out, but there’s no big CORRECTION message across the top of the story—but the damage was done. Google suspended Jackeey’s apps. Everyone considered Jackeey evil and confirmed suspicions that a) Android was flakey on security and b) stuff from China was dodgy.

All kind of sad. Especially when you find that actually Jackeey himself is not exactly unreachable. A few keyword searches and his email address appears and, voila! he’s around to answer your questions. Very keen to, in fact, given the blogosphere has just ruined his life.

Here’s what he told me: He needed the user’s phone number and subscriber ID because people complained that when they change their phone they lose all their settings.

That’s it. That’s the only stuff that’s saved.

Needless to say he is somewhat miffed that no one tried to contact him before making the report public; nor had most of the bloggers and journalists who dissed his applications.

“I am just an Android developer,” he said. “I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.”

Now of course he could be lying through his teeth, but I see no evidence in the Lookout report or anything that has appeared subsequently that seems to suggest the developer has done anything underhand. (The developer has posted some screenshots of his app’s download page which show that they do not request permission to access text message content, nor of browsing history.)

In fact, he seemed to be doing a pretty good job: His apps had been downloaded several million times. He declined to give his name, but acknowledged that he was behind both apps provided under the name Jackeey, and under the name iceskysl@1sters.

The story sort of ends happily. After investigating them Google has reinstated the apps to their app store and will issue a statement sometime soon. It told Jackeey in an email that “Our investigation has concluded that there’s no obvious malicious code in your apps, though the implementation accesses data that it doesn’t need to.”

VentureBeat hasn’t written an apology but they have acknowledged that: “The controversy grew in part because we incorrectly reported in our initial post that the app also sent your text messages and browser history to the website.”

For his part Jackeey is redesigning his apps to take into account Google’s suggestions. He points out that to do so will require him to have users set up an account and enter a password, which some users may be reluctant to do. And the Google suggestion is not entirely secure either.

Obviously this is all very unsatisfactory, in several ways.

Firstly, the journalism was a tad sloppy. No attempt was made to contact the developer of the app for comment before publishing—how would you feel if it was your livelihood on the line?—and the correction was no real correction at all.

Secondly, the internet doesn’t have a way to propagate corrections, so all the other websites that happily picked up the story didn’t update theirs to reflect the correction.

Thirdly, Google maybe should have contacted Jackeey before suspending the apps. It would have been kinder, and, given they’ve not found anything suspicious, the right thing to do.

Fourthly, us. We don’t come out of this well. We are somehow more ready to believe a story that includes a) security issues (which we don’t understand well) and b) China, where we’re perhaps used to hearing stories that fit a certain formula. Suspicious?

And lastly, perhaps we should look a little harder at the source of these reports.  We seem very quick to attribute suspicious behavior to someone we don’t know much about, in some scary far-off place, but less to those we do closer to home: Lookout’s main business, after all, is prominently displayed on their homepage: an application to, in its words, “protect yourself from mobile viruses and malware. Stop hackers in their tracks.”

So spare a thought for Jackeey. If you do a keyword search for him, the first hit is the story “’Suspicious’ Android wallpaper app nabs user data”, and links to 863 related articles. Below—a week after the hoo-ha, and after Google has sort of put things right–are headlines like: “Jackeey Wallpaper for Android steals your personal info”, “Your Rotten App, Jackeey Wallpaper” and “Jackeey steeling [sic] info on Android devices”.

In other words, anyone who checks out Jackeey’s wares on Google will find they don’t, well, check out.

I got back in touch with Jackeey to see how he’s holding up, a week after the storm broke. I’m in some pain, he says, “because mass negative press said that I steal users’ text messages, contacts and even passwords.” People have removed his applications from their phone, and people have been blasting him by email and instant messaging, calling him “thief”, “evil person” and other epithets.

“I am afraid that it will destroy my reputation and affect my livelihood forever,” he says.

I’m not surprised. We owe to folk like Jackeey to make apps for our phones, so we should treat him a little better.

Get the New Fear, Same as the Old Fear

It’s early January, the first post of the year and already I’m feeling a bit weary of Web 2.0 and blogging. My ennui is really fear: fear that journalists don’t get blogging, that bloggers don’t get journalism, and that all of us are covering something that isn’t half as exciting as it was looked a year or so ago.

First off, the sense the that Web 2.0 isn’t quite what it was cracked up to be. Word is out that more dot.coms are hitting the dust, or at least sniffing it: TechCrunch and VentureBeat both have something to say on the subject. My sense? Amidst all the money, the cute (and samey) logos and cute (and samey) names, we’ve kind of forgotten what Web 2.0 is about. It’s about doing things that make sense online, not doing things online for the sake of it.

But then there’s the bigger worry, at least for me: is my job about to be taken over by bloggers who can’t write and have PR cards up their sleeve? Nick Carr thinks so, laying in less than subtly to Andy Abramson, pointing to what he says is poor grammar, sloppy spelling and half-baked sentences masquerading as New Journalism. I declare an interest here: I know and personally like Andy, so I’m not going to join in what is to me in any case a tad too personal. Suffice to say that we need this year to get sorted out the ethics of being a blogger before we a) start calling blogging journalism and b) start seriously alienating both reader and traditional journalist. My rule of thumb is: If you’re hawking something other than the objective unvarnished truth, declare it and leave the building. Let’s not muddy the waters further.

Finally, let’s not confuse being nice with being honest and being straightforward. I count Steve Rubel among those I personally like in this terrain, but it shouldn’t stop me saying what I think. Steve makes a strong argument in favor of ignoring ‘mean people’; he’s struck dozens of ‘mean-spirited blogs’ off his reader list this year. Steve is of course free to do what he likes and read who he likes. And I am certainly not crazy about some of the pettiness and personal attacks that the technorati blogosphere seems to mistake for trenchant writing of late. But here’s my suggestion for Steve and others: be careful to distinguish snark from critical writing. The two aren’t always the same. Sometimes there’s stuff we don’t like to read but we should.

My new year’s resolution is to try to keep remembering that the only person we should be writing for is the person who wants to know the truth, and wants to know that we don’t carry any extra baggage — either for or against the subject — when we write it. Have a good year.