Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Dev Demonstrates CarrierIQ Phone Logging Software On Video

Posted by Soulskill on from the hand-in-cookie-jar dept.

Token_Internet_Girl writes with a followup to last week's news about Android developer Trevor Eckhart, who was researching software from CarrierIQ, installed on millions of cellphones, that secretly logged a variety of user information — from button presses to text message contents to browsing data. CarrierIQ tried to silence Eckhart, but later backtracked. Now, Eckhart has posted a video demonstration of CarrierIQ's logging software. From the article: "The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim. ... The video shows the software logging Eckhart's online search of 'hello world.' That's despite Eckhart using the HTTPS version of Google, which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google. ...the video shows the software logging each number as Eckhart fingers the dialer. 'Every button you press in the dialer before you call,' he says on the video, 'it already gets sent off to the IQ application.'"

5 of 322 comments (clear)

  1. Re:Can't someone sue the carriers? by GPLHost-Thomas · · Score: 5, Interesting

    you have to sign the carriers agreement, and in the carriers agreement, there is undoubtedly a clause where you give them permission to collect your data and use it as they see fit

    That would seem right, but only for the time of the contract. What if, as in the video, you have a phone which isn't bound to a contract anymore, and still spying on you?

  2. Re:Can't someone sue the carriers? by fsckmnky · · Score: 5, Interesting

    A contractual agreement to something deemed illegal does not overrule the law.

    It is not illegal, for you to agree, to the carriers collection of the data, which is why regulation specifically making it illegal, or spelling out your rights, is required to stop it.

    I see no reason for a carrier's data collection policy to include keylogging everything a customer does outside of extenuating circumstance (suspected terrorist or something).

    Yes, you, like myself, see no reason "to allow" carriers to collect this data. That said, a carrier has "every incentive to collect" this data. It has commercial value. They can sell it to the government / police for investigative purposes, they can data mine it in order to find hidden value, and every bit of data sent can be counted towards your monthly usage cap, thereby, increasing the odds that you will run over and incur additional charges.

    Please understand I am not arguing on behalf of carriers, merely attempting to point out the reality of the current environment. I don't own a smart phone, as I am aware that the reality of it, is that, I am paying to be spied on.

  3. Re:Can't someone sue the carriers? by fsckmnky · · Score: 5, Interesting

    Indeed. If the government began a program to spy on everyone domestically, it would undoubtedly cause a huge uproar, and likely be deemed unconstitutional ( at least I hope it would be deemed as such. )

    But if companies collect the data, then the government can simply request the records, and pay the company a fee for retrieving them, as part of an "investigation."

    Web search ... "what are you interested in ?"
    Web analytics ... "what sites are you visiting ?"
    Friends lists ... "who do you know / communicate with ?"
    Mapping ... "where are you going ?"
    GPS / wi-fi detection .... "where are you at right now ?"
    SMS ... "what have you said to whom ?"

    Welcome to the matrix. Good luck flushing yourself from it.

  4. Re:Can't someone sue the carriers? by Anonymous Coward · · Score: 5, Interesting

    Carrier IQ DENIES that they are recording keystrokes. They deny this right now, on their website in a PDF, that is linked to right at the top of their home page:
    "While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools."

    So even if our agreement with the carrier permits logging/capturing of this data, it doesn't allow you to LIE about doing it. Their software clearly logs data. We don't know if it keeps that data or transmits it back to anyone. But the data is clearly being captured in some fashion as demonstrated by the video.

  5. But is the data actually transmitted anywhere? by Wyzard · · Score: 5, Interesting

    In this video, the researcher is looking at debug logs from the phone itself, not network traffic logs showing remote communication. He clearly shows that keystrokes and URLs are being passed to the IQ software running on the phone, but presents no evidence that the data is actually sent to anything outside of the phone.

    Has anyone determined what the IQ software does with all this information besides writing it to the debug logger? Is it actually sent somewhere, or saved to persistent storage on the phone? (I'm no Android expert, but I'm under the impression that debug messages are discarded when there's no debugger attached.)

    Having this software running in the background is sneaky and certainly makes spying more possible than it would be otherwise, but it's not necessarily the huge immediate privacy violation that everyone seems to be assuming it is.