iRex iDS - Big Brother is watching you?

[doctorow]

Haven't you asked yourself what kind of information iRex can gather from you when you connect to their iDS? For example, this is an iRex employee's answer to a user having problems with his soft upgrades:

Quote:

We've checked the server logs, but you did follow the upgrade line that Karel gave.
We can see that you did the pre-update, connected to get 2.6, failed (corrupt fs) connected again and got 2.6, after which your device rebooted and 2.6 was installed.
After that you connected and got the release notes and the 2.6.1 update.

Conclusion: your device is fine, it is now on 2.6.1 as is everyone else.

P.S. When a corrupted file is downloaded, it is discarded and you have to try again. It will refuse to install a corrupted SW update.

P.P.S. If your Device Manager shows "MMC" instead of "SD", you know for sure you did get 2.6 and not just the 2.6.1 patch.

--> http://forum.irexnet.com/viewtopic.php?t=407

That's already quite a lot of information they got (and we don't know if this is all). I wonder about the implications, in particular if you are from a non-EU country.

[ali]

They know everything about the installed software. At some points, they solved problems by scheduling updates to specific users. (One wanted to switch over to the chinese software, two had their toolbars reinstalled) It seems legal to me (though it's definitly big brother).

Connecting to iDS seems not to transfer information about the user to iRex, so that's good. All they know is what you entered in registration form, which (as I confirmed myself) can be filled in with bogus data.

[doctorow]

Quote:

Originally Posted by ali

Connecting to iDS seems not to transfer information about the user to iRex, so that's good. All they know is what you entered in registration form, which (as I confirmed myself) can be filled in with bogus data.

And they always see your MAC address/EUI64, which can be presumably tied to your shipping address (since it's all hand-delivered).

[VillageReader]

As far as international implications, I think privacy standards are higher in the EU than the US.

Also, when they do get content delivery ironed out, there will need to be a way to tie the machine to the content purchased.

Sounds to me like the detailed information that is of 'concern' is little more than the login info captured when logging in to almost any system.

[doctorow]

I don't disagree that privacy standards in the EU may be higher than in the US.

The real issue is that there may be individuals or companies whose personal or professional background does not allow them to be scrutinized by a EU (Dutch)-based company.

It's a blackbox and you don't know what's going on. They obviously log data about you. You may have sensitive material on your iLiad. Can you guarantee to your company that iRex or a renegade iRex employee has no means to access this material?

[ali]

Quote:

Originally Posted by doctorow

It's a blackbox and you don't know what's going on. They obviously log data about you. You may have sensitive material on your iLiad. Can you guarantee to your company that iRex or a renegade iRex employee has no means to access this material?

No, you can't. But you can sniff the connection, which is plain https, and see there's nothing. The logs are just technicalities without privacy implications. No problem so far. (Says me, who's paranoid enough to have a 27-character-password for his gpg key) (Who's even paranoid enough to slightly change the character count before posting it)

[Alexander Turcic]

Hey, it wasn't that easy - I remember some of us sniffing newbies first had some difficulties passing through the https connection

The point seems that for those most concerned, iRex leaves no option to upgrade their iLiad in a non-privacy-invading way.

And it doesn't come as a surprise that giants like Microsoft claim that they are not logging any personal information, such as IP addresses, during the Windows udpate.

[branko]

The Dutch organisation for the protection of privacy has an English language website.

From what I understand, if organisations collect data about identifiable persons, they need to register with the Dutch DPA (CBP in Dutch).

A citizen can ask to see their personal "file".

I also seem to remember something about an obligation to publish a (legally binding) privacy statement, but could not find anything about that. Perhaps that's part of European law.

[scotty1024]

I'm sure they told the CBP they'd get registered as soon as they cleaned up their logs.

The pre-install script I looked at reported back to iDS if it found dropbear on the system (and then wiped it out.) A nit picker could definitely pick a nit with them removing functionality already present on their unit with out asking for one's permission first...

Once they sell it to me, its mine. Theoretically I haven't rented the unit...

[TadW]

They would probably argue that removing SSH access does not constitute an injury to your ownership, since SSH is not required for the core functionality of the device.

[scotty1024]

One person's "I don't care" feature is another person's "I needed that" feature. I'm sure there are several developers whom would argue that the core functionality of the device, to them, had been adversely affected.

If I ask my general contractor for my new home to come back and fix several issues with my new home and he removes the device in the kitchen sink that chews up waste food, which wasn't on the list, has that contractor adversely affected the core usage of the house?

When I went through customer service training I was taught that you always ask permission, even if it isn't "required", "I will get you that information right now sir, may I please put you on hold?" being a minor example.

Phillips has a very well trained staff and I've been stunned several times that iRex, a Phillips spin off, seems to have no one trained in providing quality customer service.