Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Dev Demonstrates CarrierIQ Phone Logging Software On Video

Posted by Soulskill on from the hand-in-cookie-jar dept.

Token_Internet_Girl writes with a followup to last week's news about Android developer Trevor Eckhart, who was researching software from CarrierIQ, installed on millions of cellphones, that secretly logged a variety of user information — from button presses to text message contents to browsing data. CarrierIQ tried to silence Eckhart, but later backtracked. Now, Eckhart has posted a video demonstration of CarrierIQ's logging software. From the article: "The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim. ... The video shows the software logging Eckhart's online search of 'hello world.' That's despite Eckhart using the HTTPS version of Google, which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google. ...the video shows the software logging each number as Eckhart fingers the dialer. 'Every button you press in the dialer before you call,' he says on the video, 'it already gets sent off to the IQ application.'"

25 of 322 comments (clear)

  1. Can't someone sue the carriers? by Anonymous Coward · · Score: 5, Insightful

    There is an asymmetry in the system as it works right now. Which private customers have the will, time, and money to sue companies that illegally wiretap their customers? Isn't there anything that can be done against this? (Of, I'm talking about action against CarrierIQ but about action against the carriers that use their software.)

    1. Re:Can't someone sue the carriers? by fsckmnky · · Score: 5, Insightful

      companies that illegally wiretap their customers

      Therein lies the rub. In order to use your cellphone/smartphone, you have to sign the carriers agreement, and in the carriers agreement, there is undoubtedly a clause where you give them permission to collect your data and use it as they see fit. This makes the data collection legal, not illegal, as you agreed to it.

      Nothing short of privacy regulation specifically forbidding carriers to use this information, or at the very least, allowing you to specify that you would like your data to remain private, will prevent this practice from being standard, as the monetary incentive is to collect the data. Corporations have an obligation to protect and grow shareholder value, no matter how many advertisements they run claiming "We care about our customers."

    2. Re:Can't someone sue the carriers? by Theophany · · Score: 5, Insightful

      A contractual agreement to something deemed illegal does not overrule the law.

      If a judge found the activity to be unlawful, which I suspect is where the core of the issue rests, then whether or not there was a contractual agreement is irrelevant. I see no reason for a carrier's data collection policy to include keylogging everything a customer does outside of extenuating circumstance (suspected terrorist or something).

    3. Re:Can't someone sue the carriers? by fsckmnky · · Score: 3, Insightful

      Kudos. Lets hope the rest of the world adopts a sane, fair approach.

    4. Re:Can't someone sue the carriers? by fsckmnky · · Score: 3, Insightful

      I should add, that the moment I heard that Google was releasing a smartphone OS aka Android, my first thought was "Nice. Now google can spy on everyone when they are away from their computer and follow their movements in the physical world."

      Beware of free ice cream from pimply faced CEOs of publicly traded corporations who claim to have your best interests in mind.

      This situation is only going to get worse. The same data collection practices concerning smartphones are being adopted by car manufacturers, and Google wants to use event data that your spiffy new car collects, in order to "predict" and "suggest" a route for you to travel. Do you really think Google ( and other companies active in this area ) are doing all this work for free because they like you ?

      http://media.ford.com/article_display.cfm?article_id=34591

    5. Re:Can't someone sue the carriers? by fsckmnky · · Score: 4, Insightful

      Carrier IQ DENIES that they are recording keystrokes.

      They aren't recording "keystrokes" .... they are recording "event data" of which, keystrokes are merely a sub-class of events. It's not a lie, just like when Bill Clinton told everyone "I did not have sexual relations with [Monica Lewinsky]." He didn't have sexual relations, as in, intercourse, he just played around with a cigar.

      So even if our agreement with the carrier permits logging/capturing of this data, it doesn't allow you to LIE about doing it.

      As argued above, they are not "lying." They are simply being extremely technically specific in their statements.

      We, as private citizens, need to get better at reading between the lines, as that is where the truth is, in order to protect ourselves from the non-lying-liars.

    6. Re:Can't someone sue the carriers? by alostpacket · · Score: 3, Insightful

      While I agree with the spirit of your rant, AT&T did just show us this past spring that we might already be in such a dystopia. They challenged a customer's right to partake in a class-action lawsuit (when a customer had signed an binding arbitration contract. AT&T took it to the supreme court and won.

      --
      PocketPermissions Android Permission Guide
    7. Re:Can't someone sue the carriers? by Goaway · · Score: 5, Insightful

      So, a third party had to make this spy app for the carriers because Google was not spying enough on users for their taste. And your conclusion is that Google is evil.

    8. Re:Can't someone sue the carriers? by Ash+Vince · · Score: 3, Insightful

      Yep. This is why I will never get an Android device or use Google+. They want to spy, and they spy everything. On top of that, other companies will start to feel that it's ok to do. If the practice can continue without interruption, we will all lose privacy. It's funny how everyone always fights losing privacy to the government. Google, Carrier IQ and the companies are just middle hands for that!

      But why single out Google? All smart phones are going to do crap like this so the only way to escape it is to only use products that are completely open and unlocked.

      Bear in mind that this thread is not actually about anything Google can change, it is about some extra software that carriers (ie - AT&T, etc) are adding to android after google are done with it. There is very little you can do to avoid this as all the carriers are just as bad but you can at least not just blame google because they created an open phone platform that some other company wrote bad software for. Do you blame Apple for Mac IE5 being shit or Microsoft?

      --
      I dont read /. to RTFA, I read /. to offend people in ignorance.
    9. Re:Can't someone sue the carriers? by fsckmnky · · Score: 4, Insightful

      there's a LOT of things you can't just ask consumers for permission on the TOS and then go "nanananan it's legit you signed the contract!". same thing applies to that you can't sign away your career through non-competes even if some employer wants you to believe so.

      There is no law that I am aware of, that prevents private parties ( carrier and customer ) from agreeing to share information with each other. As for non-compete agreements, that is an entirely different issue ( legally ) than information sharing. It is voluntary for you to share, or not share, information with another party, while it is decidedly not voluntary for you to work and earn a living, unless someone else is working and earning a living to support you.

      if it were legal to write any fucking kind of contract you want we would all be living in some crazy dystopia where everybodys life was determined by contracts written and signed before the person was even born(that would be pretty much what sucked about the middle ages).

      I hate to break the news to you, but this is the world you live in now. Contracts are binding unless found all or in part ( under specific circumstances ) to be invalid by prior legislation or precedent.

      because it's such a fucked up business decision in the first place and only serves to move money _away_ from the operator.

      No. It increases shareholder value, up until the point where the public 1) becomes aware of it and 2) refuses to accept it and 3) finds the will to boycott the service. Unless all 3 of those things happen, the data collection is valuable, and enhances the bottom line.

      so do you really think it would be legal for at&t to start generating traffic using cIQ and place all their customers to 1 million dollar debt by leaving it to transfer data all night long? that's what you're implying the tos would allow them to do and what they _should_ do "to increase shareholder value" . it's just ridiculous.

      It is legal for AT&T to define "data usage" and "data caps" as "including data required to operate the service." As for whether they do this or not, cheCk your specific TOS. As an example of another industry that successfully did this, look at hard drive manufacturers. They have been claiming "300 Megabytes" when only "270 Megabytes" were in fact usable for over a decade now with much success.

      As to your example of 1 million dollars in debt from carrier generated data streams, yes, that would cause the public to boycott the service and create lawsuits and bad debt. It is your extreme hypothetical abusive interpretation of the definitions that is ridiculous. In practice, this would optimally, from a revenue generation standpoint, be an amount that customers do not notice, whatever that amount may be.

      I have not suggested carriers do anything, in any of my comments. I have merely attempted to explain the current ecosystem. No need to kill the messenger if you don't like the message.

    10. Re:Can't someone sue the carriers? by CowTipperGore · · Score: 3, Insightful

      They aren't recording "keystrokes" .... they are recording "event data" of which, keystrokes are merely a sub-class of events. It's not a lie...

      "While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools."

      While I appreciate your efforts at devil's advocate throughout this thread, you seem to have missed the mark on this one. It is immaterial that keystrokes are a sub-class of the event data they are collecting; it is a lie to say categorically that you are not collecting keystrokes when you are.

    11. Re:Can't someone sue the carriers? by tomboalogo · · Score: 3, Insightful

      use a fuckin' payphone (stupid kids, get off my lawn!!!)

    12. Re:Can't someone sue the carriers? by Andy+Dodd · · Score: 4, Insightful

      "like apple, they could have owned the phone companies. they had the hot product and they could have dictated 'do not be evil to our customers!' to the phone companies."
      No, they were a newcomer in the market. In the portable device industry, they didn't have the clout that Apple had thanks to iTunes + iPod. As a result, Apple is still the only company that can successfully tell a North American carrier to fuck themselves.

      And anyway - yes Google allowed it. The whole point of Android is its openness - unfortunately, on some devices, the carrier abuses that openness. Don't like it, go buy a Nexus.

      --
      retrorocket.o not found, launch anyway?
  2. Caught in a lie then. by Nursie · · Score: 5, Insightful

    That's just nasty. First try to silence the researcher, then try to deny what's going on when you've already been caught.

    The question is, will this have any effect? Will carriers stop shipping this stuff ? Will consumers care?

    My guess is no, they'll just try to hide it better in future.

    1. Re:Caught in a lie then. by Culture20 · · Score: 4, Insightful

      This to me sounds like it could be bordering on illegal

      Bordering? It might be legal federally, but if I recall correctly (not a lawyer), there are States where recording such data is a violation of wiretap unless both parties are aware of the recording. And such some people here on /. are pointing to contract clauses where "data necessary to the functioning of the network" or similar are spelled out and saying that people consented (and are thus aware, which is suspect in itself). But let's take this a step further. CarrierIQ says in plain English that they're not logging keystrokes. Any customer who knows about carrierIQ and has seen carrierIQ's statement has a reasonable expectation that "logging keystrokes" is not part of the data logging they're agreeing to. "Aha!" says the weasel lawyer "the ordinary people didn't know about carrierIQ! Only our execs knew it was installed on our phones." To which I say, "did carrierIQ misrepresent its logging nature to those execs?" if it did, then carrierIQ might be logging keystrokes between a user and the phone company when the phone company execs have a reasonable expectation that carrierIQ isn't doing that. Then carrierIQ is in trouble in two-party states.

  3. I have by Anonymous Coward · · Score: 2, Insightful

    Always been suspicious of the countless android apps that REQUIRE device permissions such as "full internet access", "read phone state and identity" etc...

  4. Needs to be labeled as spyware by assemblerex · · Score: 4, Insightful

    Clearly that's what it is, it spies to enrich the company at your expense.

    1. Re:Needs to be labeled as spyware by PolygamousRanchKid+ · · Score: 4, Insightful

      . . . at your expense.

      So guess who pays for the transmission of all those logged clicks . . . ?

      . . . and you thought some other app was draining you battery and carrier account limit . . . ?

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  5. Conspiracy theories aside... by ruemere · · Score: 4, Insightful

    What software is actually affected? What phone models? What platforms? What applications?
    If it's just AT&T and its victims, well, it's their own private little hell. Otherwise, some facts would be nice.

    For now, (quoting from the article), phrase of "millions of Android, BlackBerry and Nokia phones" smacks of cheap propaganda and scaremongering.

    Regards,
    Ruemere

    1. Re:Conspiracy theories aside... by Fri13 · · Score: 5, Insightful

      Seems like none of phones sold in EU comes with this preinstalled.

      Think about it. EU would rip every carrier, phone manufacturer and software company in pieces if such privacy abusing would rise.
      Not even any end user license would protect those companies at all.

  6. CyanogenMod by monkeyhybrid · · Score: 4, Insightful

    FTA: "it cannot be turned off without rooting the phone and replacing the operating system"

    So even more reason to flash your droid with CyanogenMod or custom ROM of your choice.

    1. Re:CyanogenMod by l3v1 · · Score: 3, Insightful

      Please don't reply that Android is open source, unless you can show me the sources for CIQ!!!

      Uhmm... how so? Android's openness has nothing to do with CIQ.

      --
      I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
    2. Re:CyanogenMod by Dorkmaster+Flek · · Score: 3, Insightful

      Indeed, it's precisely because of Android's openness that we can even find out about this kind of software, or at least make it a lot easier to find out about it.

      --
      I like to think of online DRM as something akin to a college -- you pay for lessons until you learn something.
  7. Credit card number exposure by SlashRAH · · Score: 5, Insightful

    When somebody installs a skimmer on an ATM or fuel pump, there are criminal penalties for (attempted) fraud. How is this software any different?

  8. Not PCI compliant by kooky45 · · Score: 5, Insightful

    I believe this rules out all Android devices with CarrerIQ agents from being used to handle payment card numbers. There's no obvious mention on CarrerIQ's website of PCI compliance or how they protect the user's data. It probably also contravenes SOX, HIPAA and and host of other industry regulations. Bye bye lots of commercial use of Android handsets, especially Blackberry.