Inexpensive, unpatched phones put billions of users’ privacy at risk

Cellphones of all design clutter a table in order to share a single cluttered power outlet.
Enlarge / Cellphones charging in the Philippines at a station run by generator in 2013, while power was out in the wake of tyhpoon Haiyan.

Privacy, it seems, is increasingly a luxury reserved for those who can afford it. "Free" services are rarely free, and in the 21st century, the adage seems to be that if you aren't paying with your money, you're paying with your personal data. But while a user at the higher ends of the income scale can afford to be choosy with both their cash and their privacy, users of the cheap, mostly Android-based smartphones that dominate the market worldwide are bearing the burden.

Apple's iPhone might be the single most popular device line among US consumers, but the iPhone's high-end cachet comes with a matching price tag. Likewise, a premium flagship Android phone, such as a new Google Pixel or Samsung Galaxy device, runs in the $500 to $1000 range.

Connectivity, however, is happily not limited to just the global wealthy. Billions of users in both developing and mature economies to whom the price tag puts a high-end phone out of reach still have access to lower-spec devices. Nearly all of the lower-end phones available worldwide run Android, giving Google's OS a greater than 80% market share globally.

Android is easily modifiable by device manufacturers and wireless carriers, and the cheaper the phone is, the more likely it is that someone, or multiple someones, has installed crapware or malware on it, Fast Company reports.

Fast Company highlights one example: the MYA2 MyPhone, sold in the Philippines. The phone as described is a privacy and security nightmare:

First, it comes with an outdated version of Android with known security vulnerabilities that can't be updated or patched. The MYA2 also has apps that can't be updated or deleted, and those apps contain multiple security and privacy flaws. One of those pre-installed apps that can't be removed, Facebook Lite, gets default permission to track everywhere you go, upload all your contacts, and read your phone's calendar.

The wealth gap

According to data gathered by the Pew Research Center, about 17% of US adults use smartphones and only smartphones to connect to the Internet. The farther down the household-income ladder you go, the higher that percentage is. Among those whose household income falls between $50,000 and $75,000, about 10% of users are mobile-only. Among those whose household incomes fall below $30,000, the figure rises to 26%.

Fast Company points to a recently published study conducted by researchers at the University of Pennsylvania and Rutgers University. The study finds that many mobile-only, lower-income consumers were well aware that their privacy was regularly being violated, but they didn't feel they had a real choice.

"Nearly all study participants shared stories of relinquishing their data privacy, which the researchers consider to be a basic human right, in exchange for the ability to access online services and platforms," the researchers wrote. "Many people shared anecdotes about forgoing opportunities in an attempt to maintain data privacy."

The researchers concluded:

Because of the sheer ubiquity of digitized data compiled on individuals who rely on cell phones to access the Internet, the need for privacy should be elevated from a personal liberty and legal right to a matter of social justice... Data privacy is not a luxury for those who cannot afford to invest the time, resources, and effort required to actively protect one's digital assets.

Global challenge

Fast Company notes that approximately 2 billion users, or just over half of all people now online, only access the Internet on their smartphones. That number is projected to be as high as 3.7 billion users by 2025, as mobile infrastructure solidifies a foothold and gains penetration in currently underserved regions.

The problem is not new, and it's not limited to users in developing economies or low-GDP nations. In 2016, for example, 120,000 Android phones distributed inside the US by BLU Products were found to be sending users' text messages and other highly sensitive data to China. The security hole was not a bug but a feature of the phones—the phones just weren't meant to be distributed that way inside the United States.

(BLU reached a settlement with the Federal Trade Commission in April 2018.)

Dozens of other models of Android phones have been found in recent years to arrive pre-loaded with malware or boasting backdoors that should not be—particularly phones distributed by low-cost resellers.

And the trade-off isn't always surreptitious. In 2016, for example, Amazon launched a program selling cheap, unlocked Android phones with "special offers" (i.e. advertisements) baked into the lock screen and certain pre-installed apps. The company dumped the program in 2018 after Google changed the terms of its developer policy.


View Original