Slashdot Mirror
CarrierIQ Tries To Silence Security Researcher
phaedrus5001 sends this quote from a story at Wired:
"A data-logging software company is seeking to squash an Android developer's critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company's training manuals from his website. Though the software is installed on millions of Android, Blackberry and Nokia phones, Carrier IQ was virtually unknown until the 25-year-old Eckhart analyzed its workings, recently revealing that the software secretly chronicles a user's phone experience, from its apps, battery life and texts. Some carriers prevent users who actually find the software from controlling what information is sent."
The EFF is hosting PDFs of CarrierIQ's C&D letter, as well as their response on Eckhart's behalf.
My Brothers and Sisters in Christ,
This man is working to remove software which can be used to identify pedophiles, rapists, and other ungodly characters which are plaguing this nation. He should be brought to justice for undermining our government's attempt to keep our land free and Christian. I propose that we take this software a step further, and have it display a random Bible verse on bootup of the device, in order to spread Christ's message to the unsaved.
God bless,
Jake
Looks like CarrierIQ is trying to save face in their PA http://www.carrieriq.com/Media_Alert_User_Experience_Matters_11_16_11.pdf I wonder, I'm not entering a contract with CarrierIQ, are they collecting this data to their own servers then sending the data to the carriers or are the carriers collecting the data?
the software secretly chronicles a user's phone experience, from its apps, battery life and texts.
Let's hope someone succeeds in reverse engineering and implementing a copy of the CarrierIQ protocol, as I wish it to be known that my favorite App is the "Nude Crocheting Pocket Guide", and my current battery life is "Purple".
I will also be happy to forward my texts (which I shall not utter here) to the phone company as well, as soon as an international SMS character set for the language of Morder is approved.
Their software serves a legitimate purpose. It reports usage metrics so that phone makers can make phones that better serve people's needs. This is a Good Thing.
The problem is that you should be allowed to opt out. Some people don't like participating in these programs, and that should be their choice. By default, CIQ's software lets the user opt out. The problem here is that some companies are blocking that option or making it extremely difficult. They are the ones who should be criticized here.
Let's see them track me on my landline! They'll never know where I am!
Root your phone and load a custom rom, that will take care of a few problems. CIQ, Bloatware, and you can freely tether your internet.
They'd better watch out for the Streisand Effect.
... then maybe I have hope of getting a fix, or at the very least, a more efficient battery on my next phone.
Occasionally living proof of the Ballmer peak.
I don't know how even on Slashdot there are some people who tend to argue "what do I care, if I'm not doing anything bad with my phone?" Let's get rid of that before it gets started here. I have a Samsung, Android, Sprint phone. That means I apparently have a logger installed that can track every key I press, every message I send, every web site I visit. That means that Sprint, Sprint employees, and whosoever Sprint or its employees should share this information with, whether that be government, advertisers, companies or individuals with malicious or invasive intent, whether this is shared on purpose or by accident or security breach, has access to such things as:
Phones are not just text messaging and dialing devices anymore. A keylogger on my phone is equally offensive as a keylogger on my home PC, and has the potential for just as great a compromise of my life's privacy and security. I have no control over the security with which Sprint or anyone else transmits or stores my personal information, and even more importantly, they have no right to have it in the first place. Besides the fact that the FBI has a well-known history of tracking the lives of many private citizens with politically motivated intent, I certainly do not care for the idea of private corporations and whoever works for them having all of my passwords and knowing where all my accounts are. There is no reasonable argument for why I should think this is okay. I do not have to be doing anything illegal for me to reasonably object to my mobile phone company having, or storing (with who knows what security), a back door into every single piece of my life. Somebody whose involvement in my life is supposed to be merely providing me with telephone service does not need and has no right to expect the master key to my whole digital, financial, social, and business life.
I will be contacting Sprint and asking them for a means to permanently remove this software from my phone. If they are unwilling (which they probably will be, but they need to actively hear a complaint from me and everyone else so they understand the offensiveness of their actions), I will have to go down the "root it and fix it myself" path. I hope the rest of you with affected phones will do the same.
Is it me, or is the first point in the "Agreement" that CarrierIQ wants Eckhart to sign actually imply that CarrierIQ is performing the illegal copying???
I _______, agree to immediately
Cease and desist your unlawful copying of the Training Manuals
I am Slashdot. Are you Slashdot as well?
They are inflicting a financial cost (bandwidth charge) upon you without consent. It's like buying a car and having them keep a set of keys so they can take it for joyrides (using your gas).
This is the only question I have right now. It's only a minor process to root my phone and install CyanogenMod on it.
Someone I was speaking with today was theorizing that there is actually a hypervisor layer running on smart phones, so even if you do root it, you're still not really getting raw access to the hardware - you're just rooting one VM, and this spyware runs in the hypervisor. I don't know how true this is, but I figure someone here knows.
This makes them an easy target for a MASSIVE class-action suit. California has some strict consumer protection and privacy laws.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
yes, because completely anonymous crowd sourced location data is just like having the carrier snoop on your every text and call.
Non impediti ratione cogitationus.
Ms. Woods,
I possess and use an HTC EVO 3D smartphone in line with my daily duties for my employer and various clients. This phone contains your employer's software (CarrierIQ for Sprint), which was bundled with the device and zero disclosure that it was installed or of its capabilities.
My device contains HIPPA-protected data (specifically relating to EMR software and the data contained therein) as well as PCI-DSS related information for my company's various clients. As such, it is protected by all manner of privacy laws, the breach of which results in severe penalties under United States law.
After reading Trevor Eckhart's research and doing some of my own, I am curious as to specifically what data your organization is capturing on Sprint's behalf, as well as to what extent they have customized their build of your software, and what its capabilities with their modifications are.
If the software, either in its original form or modified, does indeed capture data from a phone, including the ability to take screenshots or access the contents of e-mail accounts or SMS messages, this could potentially be in violation of all manner of privacy acts, depending on what data is being harvested and whether your client has the option to turn such collection on or not.
Please note that, among other techniques, I will be disassembling the binaries that I possess on my device and will be comparing it against the original ROM image that HTC has issued for this device in order to differentiate what, if any, changes are pushed out through over-the-air updates in order to determine the capabilities of the software as best I can.
To the best of my knowledge, I have never accepted any license agreements or restrictions regarding the software on my device, and as such, I am not bound to refrain from analyzing the software as I see fit, nor from having the results peer-reviewed and published once completed.
If your department is unable to answer my questions, please relay this to someone else inside your organization as you see fit.
I remain,
INSERT_NAME_HERE
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
Read the F*ing Find Print people! Your wireless carrier can do whatever they want with devices provisioned on their network. You therefore cannot be "surprised" when a third party comes along and offers them "services" to track customer usage patterns.
From AT&T Wireless Terms and Conditions
You acknowledge that every business or personal decision, to some degree or another, represents an assumption of risk, and that neither AT&T nor its content and service providers or suppliers, in providing information, applications or other content or services, or access to information, applications, or other content underwrites, can underwrite, or assumes your risk in any manner whatsoever.
.... and ....
From 3.1 "My Device"
You are responsible for all phones and other devices containing a SIM assigned to your account ("Devices"). Your Device must be compatible with, and not interfere with, our Services and must comply with all applicable laws, rules, and regulations. We may periodically program your Device remotely with system settings for roaming service, to direct your Device to use network services most appropriate for your typical usage, and other features that cannot be changed manually.
Devices purchased for use on AT&T's system are designed for use exclusively on AT&T's system ("Equipment"). You agree that you won't make any modifications to the Equipment or programming to enable the Equipment to operate on any other system. AT&T may, at its sole and absolute discretion, modify the programming to enable the operation of the Equipment on other systems.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
I was hoping someone can convince CarrierIQ to pay the millions of smartphone users that have the software installed on their phone.
If I were to find this software on my phone, might it generally be a violation of the Terms so I can opt out of the contract?
Although I would like this to work, I'm familiar with PCI-DSS and I'm pretty sure that it's your fault for keeping this data on a cell phone which is not PCI-DSS compliant and not the carrier's/CarrierIQ's
I use a Blackberry, and I am concerned about this software, yet I cannot find any evidence of the validity of the claims, from any sources other than the original research.
Can anyone verify that CIQ does indeed exist on Blackberrys, and if so, how to remove it?
So rise up, all ye lost ones, as one, we'll claw the clouds.
This looks like it would be a very useful tool for debugging. Being able to see things in real time and plain text is very helpful. That being said, so are ssldump, strace, and gdb. However, I don't install any of these utilities unless I need to do some debugging. An application that can not be uninstalled, can not be turned off, and actively divulges private information is nothing less than a spyware rootkit.
Having to work for a living is the root of all evil.