Carrier IQ and Your Phone - Everything You Need to Know

Everything related to Handheld devices goes here.

Moderator: Release Moderator

Post Reply
User avatar
Shaggy
Ultimate Donator
Ultimate Donator
Posts: 2022
Joined: 14 Feb 2010, 12:48
Location: United States
Has thanked: 18 times
Been thanked: 13 times

Carrier IQ and Your Phone - Everything You Need to Know

Post by Shaggy »

Carrier IQ hit with privacy lawsuits as more security researchers weigh in. By Jon Brodkin

Carrier IQ, the new poster child for (alleged) smartphone privacy violations, has been hit with two class-action lawsuits from users worried about how the company's software tracks their smartphone activity. Carrier IQ, of course, professes its innocence. But the company has also received some public support from security researchers who say Carrier IQ's software is only tracking diagnostic information and likely is not violating user privacy.

It all began recently with a developer named Trevor Eckhart showing how Carrier IQ software seems to record button presses, search queries and the contents of text messages on an HTC Evo Android phone, with no way for the user to shut the tracking activity off. Carrier IQ initially tried to silence Eckhart with a cease-and-desist letter, but ultimately backed down on the threat in the face of opposition from the Electronic Frontier Foundation.

But Carrier IQ still has legal and publicity problems to handle. One new class-action lawsuit names both Carrier IQ and HTC, accusing the companies of violations under the Federal Wiretap Act. Another lawsuit was filed against Carrier IQ as well as HTC and Samsung, both of which have confirmed installing Carrier IQ software on their smartphones, saying they do so at the request of wireless carriers.

Carrier IQ, speaking to All Things D, said its software doesn't log or understand keystrokes. “The software receives a huge amount of information from the operating system,” Carrier IQ marketing vice president Andrew Coward said. “But just because it receives it doesn’t mean that it’s being used to gather intelligence about the user or passed along to the carrier.”

Coward further said his company's software is used to help carriers diagnose problems. “If there’s a dropped call, the carriers want to know about it,” he said. “So we record where you were when the call dropped, and the location of the tower being used. … Similarly, if you send an SMS to me and it doesn’t go through, the carriers want to know that, too. And they want to know why—if it’s a problem with your handset or the network.”

The company also posted a statement on its website saying "Our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen."

Security researchers who spoke to the Los Angeles Times disagreed with the conclusions Eckhart made, saying there's no evidence the diagnostic information collected by Carrier IQ is stored or transmitted.

Virtual Security Research consultant Dan Rosenberg said "I've reverse engineered the software myself at a fairly good level of detail. They're not recording keystroke information, they're using keystroke events as part of the application." What that means, according to the article, is Carrier IQ software knows when a button is pressed, just as your e-mail application knows when you hit reply, but it doesn't record each keystroke or send a record of it to anyone.

Ultimately, how much information is collected on Android phones and what is done with it seems to be up to the carriers. We asked AT&T exactly what information is logged on its phones, where it is sent and how it is used. While we didn't receive a detailed response, AT&T did tell us "In line with our privacy policy, we solely use CIQ software data to improve wireless network and service performance."

We haven't heard back from Sprint, but the company told Computerworld that "We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool."

Ars spoke with Apple yesterday, and we heard much the same thing. While Apple is in the process of phasing Carrier IQ out of iOS, it said "data was sent anonymously, and in encrypted fashion. We did not record keystrokes, messages or any personal information for the diagnostic data, and we have no plans to in the future."

Carrier IQ boasts that its software is deployed on more than 141 million handsets, and has operated for several years without any major level of controversy. Clearly, smartphones would be capable of tracking much of our activity even if Carrier IQ never existed. But the lawsuits filed against Carrier IQ and its customers, and forthcoming responses to Franken's letters, should shed more light on exactly what information is collected and how it is used.

A statement issued by Sprint says that while it "cannot look at the content of customer messages, e-mails, photos, videos, etc., using the diagnostic tools offered by Carrier IQ," it uses the tool to analyze device and network performance to identify problems and resolve them. Sprint says the data it collects is anonymized and "not sold or provided to anyone outside of Sprint."

What is Carrier IQ?
Carrier IQ, made by a Mountain View-based company of the same name, is software that runs in the background of your cellphone or mobile device. It’s there to examine how your information travels over your wireless provider’s network. Basically, it looks at how well your texts are going through, how fast your emails are getting delivered, and how much you’re clogging up things by watching Netflix all the time — with the intention of relaying that information to carriers so they can find ways to optimize their networks.


Carrier IQ is so controversial for a few reasons:

It’s hidden. Short of rooting, or removing certain software safeguards to obtain “administrator” access to your phone, it’s almost impossible to know if it’s there.
It’s everywhere. The software reportedly exists on millions of handsets on several carriers, including many Android phones and even some versions of the iPhone.
It’s not opt-in. Without the user’s explicit approval, the software is enabled and gathering data on the phone.
It’s voracious. According to Trevor Eckhart, who created the recent explosion of attention on Carrier IQ with a video he posted on YouTube earlier this week, the software logs every keystroke and incoming text message. However, there’s some question about how much of this information is actually sent to the carriers.

In a statement, Carrier IQ says the software is only “counting and summarizing performance, not recording keystrokes or providing tracking tools.” It goes on to say that it shares the data only with its customers, the wireless carriers, and that the carriers have stringent policies on data retention. Independent mobile-security company Lookout wrote in a blog post, “It doesn’t appear that they are sending your keystrokes straight to the carriers.”

The man who first pointed out the issue, Trevor Eckhart, demonstrated that Carrier IQ indeed was logging keystrokes on his HTC EVO 3D smartphone, among other activity. When Carrier IQ sent him a cease-and-desist letter for saying the software was acting as a keylogger, the Electronic Frontier Federation (EFF) came to his defense. Carrier IQ backed off, issuing an apology.

This all sounds bad. Is this legal?
Paul Ohm, a former prosecutor with the Justice Department says no way. He recently posted on Twitter: “If the Carrier IQ/cellphone rootkit story is accurate, this is a clear, massive, felony wiretap. Not a close case.”

Senator Al Franken, who raised privacy concerns over location tracking on cellphones earlier this year, also had a strong message for Carrier IQ, saying, “The revelation that the locations and other sensitive data of millions of Americans are being secretly recorded and possibly transmitted is deeply troubling. This news underscores the need for Congress to act swiftly to protect the location information and private, sensitive information of consumers. But right now, Carrier IQ has a lot of questions to answer.”

Is the software only on smartphones?
Carrier IQ says its software is on feature phones, smartphones, and tablets.

Is it on my phone?
Carrier IQ is running on 141 million devices in the U.S., according to InformationWeek. Among the major carriers, Sprint and AT&T have confirmed that they use it, and Verizon Wireless told Mashable that it doesn’t. Update: In an email to Mashable, a T-Mobile spokesperson wrote, “T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers’ experience. T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers’ internet activity, nor is the tool used for marketing purposes.”

On the manufacturer side, both RIM and Nokia made statements that said it doesn’t install or authorize its carrier partners to install Carrier IQ on phones. Nokia similarly denied installing Carrier IQ on its products. If you’re an iPhone owner, Apple told AllThingsD that it removed Carrier IQ “in most of its products” when it released iOS 5, with plans to remove it completely in a future software update.

How do I get rid of Carrier IQ?
If you have an Android phone, you can find out whether or not Carrier IQ is installed by using Eckhart’s Logging Test App, and you can use the app to remove the software for the cost of a dollar. The app requires rooting your phone, however, so proceed with caution and be warned: Some reports say it’s not always successful.

On an iPhone, it may already be absent from your iOS 5 device, according to Apple, but if you want to be 100% safe, TechCrunch says you should open your settings, go to “Diagnostics & Usage,” and select “Don’t Send.”

How likely is it that data collected by Carrier IQ could be accessed by a third party?
Considering there are no reports of this ever happening, you might conclude that it’s extremely unlikely. In its statement, Carrier IQ says the data it gathers is encrypted in its own network, or the carriers’ networks.

It’s unclear how secure the data stored on the phone itself is, however. Eckhart managed to access it, albeit on his own phone. It’s all hypothetical, but if you take into account the recent emergence of Android malware that’s able to “root” a phone, it’s impossible to rule out the idea that someone could design a piece of malware that could root the phone and access the data. In theory, it’s possible, but again, there are no reports that anyone’s done it.
As Phyllis Diller said: “A smile is a curve that sets everything straight”!
Image
Image
caterwauls
Warrant Officer
Warrant Officer
Posts: 384
Joined: 24 Oct 2009, 16:46
Has thanked: 2 times
Been thanked: 4 times

Re: Carrier IQ and Your Phone - Everything You Need to Know

Post by caterwauls »

Carrier IQ's defense is that they are neither powerful enough nor smart enough to gather that info, not that they didn't.
BTW, phyllis diller's the bomb.
Last edited by caterwauls on 03 Aug 2012, 23:09, edited 1 time in total.
User avatar
Shaggy
Ultimate Donator
Ultimate Donator
Posts: 2022
Joined: 14 Feb 2010, 12:48
Location: United States
Has thanked: 18 times
Been thanked: 13 times

Re: Carrier IQ and Your Phone - Everything You Need to Know

Post by Shaggy »

thanks for comment, and Phyllis Diller is the bomb :)
As Phyllis Diller said: “A smile is a curve that sets everything straight”!
Image
Image
fredpc
Premium User
Premium User
Posts: 2029
Joined: 21 Oct 2009, 15:23
Location: In The Matrix
Has thanked: 7 times
Been thanked: 9 times

Re: Carrier IQ and Your Phone - Everything You Need to Know

Post by fredpc »

Thanks for the info :thumbup: but I'm not surprised

There are electronic devices have some form of info gathering
EG:
Windows media player had (info gathering) known as .....(Alexa virus) It could also be in your browser

I had an untouched version of Windows that I had Installed ......It hadn't been on the net and it wasn't a downloaded copy but the Alexia virus was already there, a plant by microsoft ?

I'm sure if you looked hard enough it could be in our TV's ,Ipods, Ipads, Tablets as well as your phone
Last edited by fredpc on 07 Aug 2012, 09:00, edited 1 time in total.
Post Reply

Return to “Mobiles & Media Players”