Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Dev Demonstrates CarrierIQ Phone Logging Software On Video

Posted by Soulskill on from the hand-in-cookie-jar dept.

Token_Internet_Girl writes with a followup to last week's news about Android developer Trevor Eckhart, who was researching software from CarrierIQ, installed on millions of cellphones, that secretly logged a variety of user information — from button presses to text message contents to browsing data. CarrierIQ tried to silence Eckhart, but later backtracked. Now, Eckhart has posted a video demonstration of CarrierIQ's logging software. From the article: "The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim. ... The video shows the software logging Eckhart's online search of 'hello world.' That's despite Eckhart using the HTTPS version of Google, which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google. ...the video shows the software logging each number as Eckhart fingers the dialer. 'Every button you press in the dialer before you call,' he says on the video, 'it already gets sent off to the IQ application.'"

71 of 322 comments (clear)

  1. Can't someone sue the carriers? by Anonymous Coward · · Score: 5, Insightful

    There is an asymmetry in the system as it works right now. Which private customers have the will, time, and money to sue companies that illegally wiretap their customers? Isn't there anything that can be done against this? (Of, I'm talking about action against CarrierIQ but about action against the carriers that use their software.)

    1. Re:Can't someone sue the carriers? by fsckmnky · · Score: 5, Insightful

      companies that illegally wiretap their customers

      Therein lies the rub. In order to use your cellphone/smartphone, you have to sign the carriers agreement, and in the carriers agreement, there is undoubtedly a clause where you give them permission to collect your data and use it as they see fit. This makes the data collection legal, not illegal, as you agreed to it.

      Nothing short of privacy regulation specifically forbidding carriers to use this information, or at the very least, allowing you to specify that you would like your data to remain private, will prevent this practice from being standard, as the monetary incentive is to collect the data. Corporations have an obligation to protect and grow shareholder value, no matter how many advertisements they run claiming "We care about our customers."

    2. Re:Can't someone sue the carriers? by Theophany · · Score: 5, Insightful

      A contractual agreement to something deemed illegal does not overrule the law.

      If a judge found the activity to be unlawful, which I suspect is where the core of the issue rests, then whether or not there was a contractual agreement is irrelevant. I see no reason for a carrier's data collection policy to include keylogging everything a customer does outside of extenuating circumstance (suspected terrorist or something).

    3. Re:Can't someone sue the carriers? by GPLHost-Thomas · · Score: 5, Interesting

      you have to sign the carriers agreement, and in the carriers agreement, there is undoubtedly a clause where you give them permission to collect your data and use it as they see fit

      That would seem right, but only for the time of the contract. What if, as in the video, you have a phone which isn't bound to a contract anymore, and still spying on you?

    4. Re:Can't someone sue the carriers? by Serpents · · Score: 5, Informative

      The EU finally admitted that nobody reads ToS and it's going to curb such practices.

    5. Re:Can't someone sue the carriers? by fsckmnky · · Score: 5, Interesting

      A contractual agreement to something deemed illegal does not overrule the law.

      It is not illegal, for you to agree, to the carriers collection of the data, which is why regulation specifically making it illegal, or spelling out your rights, is required to stop it.

      I see no reason for a carrier's data collection policy to include keylogging everything a customer does outside of extenuating circumstance (suspected terrorist or something).

      Yes, you, like myself, see no reason "to allow" carriers to collect this data. That said, a carrier has "every incentive to collect" this data. It has commercial value. They can sell it to the government / police for investigative purposes, they can data mine it in order to find hidden value, and every bit of data sent can be counted towards your monthly usage cap, thereby, increasing the odds that you will run over and incur additional charges.

      Please understand I am not arguing on behalf of carriers, merely attempting to point out the reality of the current environment. I don't own a smart phone, as I am aware that the reality of it, is that, I am paying to be spied on.

    6. Re:Can't someone sue the carriers? by fsckmnky · · Score: 3, Insightful

      Kudos. Lets hope the rest of the world adopts a sane, fair approach.

    7. Re:Can't someone sue the carriers? by fsckmnky · · Score: 3, Insightful

      I should add, that the moment I heard that Google was releasing a smartphone OS aka Android, my first thought was "Nice. Now google can spy on everyone when they are away from their computer and follow their movements in the physical world."

      Beware of free ice cream from pimply faced CEOs of publicly traded corporations who claim to have your best interests in mind.

      This situation is only going to get worse. The same data collection practices concerning smartphones are being adopted by car manufacturers, and Google wants to use event data that your spiffy new car collects, in order to "predict" and "suggest" a route for you to travel. Do you really think Google ( and other companies active in this area ) are doing all this work for free because they like you ?

      http://media.ford.com/article_display.cfm?article_id=34591

    8. Re:Can't someone sue the carriers? by fsckmnky · · Score: 5, Interesting

      Indeed. If the government began a program to spy on everyone domestically, it would undoubtedly cause a huge uproar, and likely be deemed unconstitutional ( at least I hope it would be deemed as such. )

      But if companies collect the data, then the government can simply request the records, and pay the company a fee for retrieving them, as part of an "investigation."

      Web search ... "what are you interested in ?"
      Web analytics ... "what sites are you visiting ?"
      Friends lists ... "who do you know / communicate with ?"
      Mapping ... "where are you going ?"
      GPS / wi-fi detection .... "where are you at right now ?"
      SMS ... "what have you said to whom ?"

      Welcome to the matrix. Good luck flushing yourself from it.

    9. Re:Can't someone sue the carriers? by Anonymous Coward · · Score: 5, Interesting

      Carrier IQ DENIES that they are recording keystrokes. They deny this right now, on their website in a PDF, that is linked to right at the top of their home page:
      "While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools."

      So even if our agreement with the carrier permits logging/capturing of this data, it doesn't allow you to LIE about doing it. Their software clearly logs data. We don't know if it keeps that data or transmits it back to anyone. But the data is clearly being captured in some fashion as demonstrated by the video.

    10. Re:Can't someone sue the carriers? by demonlapin · · Score: 2

      Just because you no longer have an early termination fee doesn't mean that you're no longer under contract; you're still operating under the same terms as before except that you can cancel service at any time. Glance at click-through licenses some time; they say things like "use of this device constitutes..." rather than "use of this service constitutes..."

    11. Re:Can't someone sue the carriers? by fsckmnky · · Score: 4, Insightful

      Carrier IQ DENIES that they are recording keystrokes.

      They aren't recording "keystrokes" .... they are recording "event data" of which, keystrokes are merely a sub-class of events. It's not a lie, just like when Bill Clinton told everyone "I did not have sexual relations with [Monica Lewinsky]." He didn't have sexual relations, as in, intercourse, he just played around with a cigar.

      So even if our agreement with the carrier permits logging/capturing of this data, it doesn't allow you to LIE about doing it.

      As argued above, they are not "lying." They are simply being extremely technically specific in their statements.

      We, as private citizens, need to get better at reading between the lines, as that is where the truth is, in order to protect ourselves from the non-lying-liars.

    12. Re:Can't someone sue the carriers? by alostpacket · · Score: 3, Insightful

      While I agree with the spirit of your rant, AT&T did just show us this past spring that we might already be in such a dystopia. They challenged a customer's right to partake in a class-action lawsuit (when a customer had signed an binding arbitration contract. AT&T took it to the supreme court and won.

      --
      PocketPermissions Android Permission Guide
    13. Re:Can't someone sue the carriers? by Goaway · · Score: 5, Insightful

      So, a third party had to make this spy app for the carriers because Google was not spying enough on users for their taste. And your conclusion is that Google is evil.

    14. Re:Can't someone sue the carriers? by Ash+Vince · · Score: 3, Insightful

      Yep. This is why I will never get an Android device or use Google+. They want to spy, and they spy everything. On top of that, other companies will start to feel that it's ok to do. If the practice can continue without interruption, we will all lose privacy. It's funny how everyone always fights losing privacy to the government. Google, Carrier IQ and the companies are just middle hands for that!

      But why single out Google? All smart phones are going to do crap like this so the only way to escape it is to only use products that are completely open and unlocked.

      Bear in mind that this thread is not actually about anything Google can change, it is about some extra software that carriers (ie - AT&T, etc) are adding to android after google are done with it. There is very little you can do to avoid this as all the carriers are just as bad but you can at least not just blame google because they created an open phone platform that some other company wrote bad software for. Do you blame Apple for Mac IE5 being shit or Microsoft?

      --
      I dont read /. to RTFA, I read /. to offend people in ignorance.
    15. Re:Can't someone sue the carriers? by fsckmnky · · Score: 4, Insightful

      there's a LOT of things you can't just ask consumers for permission on the TOS and then go "nanananan it's legit you signed the contract!". same thing applies to that you can't sign away your career through non-competes even if some employer wants you to believe so.

      There is no law that I am aware of, that prevents private parties ( carrier and customer ) from agreeing to share information with each other. As for non-compete agreements, that is an entirely different issue ( legally ) than information sharing. It is voluntary for you to share, or not share, information with another party, while it is decidedly not voluntary for you to work and earn a living, unless someone else is working and earning a living to support you.

      if it were legal to write any fucking kind of contract you want we would all be living in some crazy dystopia where everybodys life was determined by contracts written and signed before the person was even born(that would be pretty much what sucked about the middle ages).

      I hate to break the news to you, but this is the world you live in now. Contracts are binding unless found all or in part ( under specific circumstances ) to be invalid by prior legislation or precedent.

      because it's such a fucked up business decision in the first place and only serves to move money _away_ from the operator.

      No. It increases shareholder value, up until the point where the public 1) becomes aware of it and 2) refuses to accept it and 3) finds the will to boycott the service. Unless all 3 of those things happen, the data collection is valuable, and enhances the bottom line.

      so do you really think it would be legal for at&t to start generating traffic using cIQ and place all their customers to 1 million dollar debt by leaving it to transfer data all night long? that's what you're implying the tos would allow them to do and what they _should_ do "to increase shareholder value" . it's just ridiculous.

      It is legal for AT&T to define "data usage" and "data caps" as "including data required to operate the service." As for whether they do this or not, cheCk your specific TOS. As an example of another industry that successfully did this, look at hard drive manufacturers. They have been claiming "300 Megabytes" when only "270 Megabytes" were in fact usable for over a decade now with much success.

      As to your example of 1 million dollars in debt from carrier generated data streams, yes, that would cause the public to boycott the service and create lawsuits and bad debt. It is your extreme hypothetical abusive interpretation of the definitions that is ridiculous. In practice, this would optimally, from a revenue generation standpoint, be an amount that customers do not notice, whatever that amount may be.

      I have not suggested carriers do anything, in any of my comments. I have merely attempted to explain the current ecosystem. No need to kill the messenger if you don't like the message.

    16. Re:Can't someone sue the carriers? by andydread · · Score: 3, Interesting

      Unfortunately for you it looks like you wont be owning Cell phone of any type. And I suppose you don't own one now. Almost every cellphone from certain carriers has CarrierIQ installed. THis has nothing to do with Google or the underlying operating system. Carrier IQ is crapware that is installed on phones by the CARRIER. And its on Nokia phones and blackberry's along with many many many feature phones. Apple has been tight lipped but don't be surprised if it is found on iphones either. They already have a client available for Iphones. So if the carrier choses to install it you are SOL.

    17. Re:Can't someone sue the carriers? by andydread · · Score: 2

      Oh how nice of you to lump Google into this. I wonder if you are just pro trolling, or some fanboy of some type. . THis event has nothing to do with Google. It is installed by the cell carrier and there are clients available to carries for ALL mobile operating systems and it has been found on other non Android phones. Nice attempt to smear Google with this one.

    18. Re:Can't someone sue the carriers? by fsckmnky · · Score: 3, Informative

      There are a few methods, that I am aware of, that might, although the legality of such methods I am unsure of, still allow for cell phone use while preventing this sort of spying from occurring.

      One method, is to get a GNU Radio ( http://gnuradio.org/redmine/projects/gnuradio/wiki ) device and operate it as a cellphone carrier firewall. This would accept connections from your cell phone, log and allow you to filter what is being sent, and then communicate with your carrier.

      The other method, would be to use a cellphone data device / mobile hotspot, and then operate your cell phone using encrypted VOIP to an Asterisk server in your home / office.

      If there are other methods, by all means let everyone know about them.

    19. Re:Can't someone sue the carriers? by Maow · · Score: 5, Informative

      doesn't mean that you're no longer under contract; you're still operating under the same terms as before except that you can cancel service at any time.

      In the video, he explains he has a separate phone for development, without any mobile provider / SIM, which he also plays games on.

      It was connected via Wifi. Every keystroke, HTTPS search, etc. was recorded and presumably uploaded to CarrierIQ or to ATT (or whomever).

      His device is not of concern to any mobile operator.

      That's a significant issue, and I doubt he'd be hard pressed to convince a lawyer to take it on.

      (IANAL, etc.)

    20. Re:Can't someone sue the carriers? by opposabledumbs · · Score: 2

      Added to the fact that you can't have a contract for something that breaks the law is the legal principle that both parties have to be agreeing to the same contract - i.e. there has to be a meeting of minds on the terms of the contract.

      Just saying that the carriers are going to collect data is not enough in my opinion, as the way in which this data is collected and the depth of of the data that is going to be collected was not spelled out. And that is for obvious reasons: not many people would willingly agree to this kind of gross invasion of privacy.

      Let's hope that the judge that hears this case has a daughter with a phone that can be affected by this. Hell, and a mistress, too, that would really drive the point home and make it personal.

    21. Re:Can't someone sue the carriers? by chromas · · Score: 2

      Other method

    22. Re:Can't someone sue the carriers? by CowTipperGore · · Score: 3, Insightful

      They aren't recording "keystrokes" .... they are recording "event data" of which, keystrokes are merely a sub-class of events. It's not a lie...

      "While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools."

      While I appreciate your efforts at devil's advocate throughout this thread, you seem to have missed the mark on this one. It is immaterial that keystrokes are a sub-class of the event data they are collecting; it is a lie to say categorically that you are not collecting keystrokes when you are.

    23. Re:Can't someone sue the carriers? by tomboalogo · · Score: 3, Insightful

      use a fuckin' payphone (stupid kids, get off my lawn!!!)

    24. Re:Can't someone sue the carriers? by fsckmnky · · Score: 4, Funny

      Have you tried to find a payphone in the US recently ? You practically need a smartphone with google maps to find one. ;)

    25. Re:Can't someone sue the carriers? by samkass · · Score: 2

      I'm curious to know why Apple is never implicated in such privacy and tracking discussions considering how they lock you down to their own software and services.

      It's pretty simple: because Apple doesn't do this. They had something that tracked recent position so a phone could home in on its current position on request faster, but when it was brought to light how long that cache was retained Apple fixed that bug. iOS now only keeps that information briefly.

      Android is only "free" because it gets Google (an advertising company) information and opportunities to sell to advertisers. If you actually want to just buy the phone and use it as your own device, perhaps ironically Apple's controlled "walled garden" is a better choice. Apple's profit motive is not in the collecting of user information like Google's is, it's in the selling of devices. Anything that interferes with that, such as privacy concerns, is addressed.

      --
      E pluribus unum
    26. Re:Can't someone sue the carriers? by sunderland56 · · Score: 4, Interesting

      I'm curious to know why Apple is never implicated in such privacy and tracking discussions.

      CarrierIQ was discovered because it is a third party program - and so it shows up in the Android debugger. Much of Android is open source, so even if it did not, people could write their own debuggers to expose it.

      Apple develops the hardware, the OS, and the debugger - and it is all closed source. If they wanted to build complete tracking into the kernel, and not have it show up in the debugger at all, they could. So - how do you know that they didn't? Just because nobody has exposed it yet, does not mean that it does not exist.

    27. Re:Can't someone sue the carriers? by Hatta · · Score: 2

      Correct. I do not and will not own a cell phone until it is Stallman approved. Which will be never.

      --
      Give me Classic Slashdot or give me death!
    28. Re:Can't someone sue the carriers? by metalgamer84 · · Score: 2

      Rooting the phone is the biggest part of the battle. If you can root your phone, a custom ROM is mere seconds away. It was ridiculously easy to install Cyanogenmod on my Evo Shift and I will never go back to Sprint's factory ROM.

    29. Re:Can't someone sue the carriers? by blackraven14250 · · Score: 2

      Carriers insist that manufacturers preload this on devices. How does that leave Google as the bad guy again?

    30. Re:Can't someone sue the carriers? by Andy+Dodd · · Score: 4, Insightful

      "like apple, they could have owned the phone companies. they had the hot product and they could have dictated 'do not be evil to our customers!' to the phone companies."
      No, they were a newcomer in the market. In the portable device industry, they didn't have the clout that Apple had thanks to iTunes + iPod. As a result, Apple is still the only company that can successfully tell a North American carrier to fuck themselves.

      And anyway - yes Google allowed it. The whole point of Android is its openness - unfortunately, on some devices, the carrier abuses that openness. Don't like it, go buy a Nexus.

      --
      retrorocket.o not found, launch anyway?
    31. Re:Can't someone sue the carriers? by chrb · · Score: 3, Informative

      Can you point out exactly what you think Google does that Apple does not? From Apple's Q&A on Location Data.

      1) Apple gathers "crowd-sourced Wi-Fi hotspot and cell tower data". To do this, your iPhone sends your location along with your Wi-Fi hotspot and cell tower data (SSIDs, signal strength) to Apple. They do say that the request is anonymised so they have no way of figuring out who you are based on the request, but clearly they could just correlate the geo-tagged request with non-geo requests coming from your phone and figure out who you are.

      2) Apple has an advertising system (iAds) that uses your location to send you targetted ads. Obviously this involves Apple knowing what your location is.

      3) Apple provides application crash logs to third party developers. They say the logs are anonymous, but an app developer could easily include enough information to identify you (a username, IP address etc.).

      4) Apple tracks you when you travel. They say it is anonymous, but again they could clearly figure out who you if they wanted to. ("Apple is now collecting anonymous traffic data to build a crowd-sourced traffic database.")

      Apple's profit motive is not in the collecting of user information like Google's is, it's in the selling of devices.

      iAds: "The iAd mobile advertising network is a significant revenue stream for developers and a powerful way for brands to reach millions of iOS users." This is different to Google how?

    32. Re:Can't someone sue the carriers? by Reverand+Dave · · Score: 2

      Ok so yesterday you were vehemently defending FB and before that you were ranting about how windows phone 7 was the new messiah. I'm not sure if you have any credibility left on the issue of phones or privacy.

      --
      I got here through a series of tubes
    33. Re:Can't someone sue the carriers? by kqs · · Score: 2

      Citation needed. Please show a single case where Google has sold user info or actions.

      Google collects info and actions, and uses them to target ads. They sell ads, not info.

      CarrierIQ collects user actions and sends to the cell providers. I don't trust them at all, but that distrust is based on years of Baby Bells mistreating users and their data, not on random fantasies of an evil Google coming to steal my soul.

    34. Re:Can't someone sue the carriers? by tqk · · Score: 2

      Where the ambiguity comes in is where we draw the line as "private information". Is your conversation or web history considered private? You'd have to convince the courts should you take it that far.

      No, I would not need to convince a court of anything. I would, however, talk to my cellphone provider to see if they did anything like this. If so, I'll find another provider that doesn't. If I can't find one, then I'll do without.

      This is close to the most despicable business practice I've heard of in a long time. My provider runs a hidden keylogger/spyware app on my phone, for which I'm paying the bills?!?

      I've read the CarrierIQ "Privacy and Security" disclaimer. I don't believe them. I've also read their "Mobile Service Intelligence" page:

      What's more, the combination of the MSIP and IQ Insight lets you move seamlessly from broad trend data across many users, through comparative groups down to diagnostic data from individual devices. Now, not only can you identify trends, you have the power to drill down to specific instances, giving you the insight your specialists need to make a difference. [emphasis mine.]

      Utterly unacceptable. I can absolutely guarantee that I will never in the future own a cellphone (or any other device) that won't submit to jailbreaking, specifically so I can avoid crapware like CarrierIQ.

      Ho. Ly. !@#$ :-O

      --
      "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
    35. Re:Can't someone sue the carriers? by nahdude812 · · Score: 3, Informative

      I should add, that the moment I heard that Google was releasing a smartphone OS aka Android, my first thought was "Nice. Now google can spy on everyone when they are away from their computer and follow their movements in the physical world."

      It should be noted that CarrierIQ is not Google and is not related to Google. This is a third party which makes a rootkit/spyware app that carriers have installed on handsets that they sell (it is not part of a vanilla Android install).

      --
      Slay a dragon... over lunch!
  2. Caught in a lie then. by Nursie · · Score: 5, Insightful

    That's just nasty. First try to silence the researcher, then try to deny what's going on when you've already been caught.

    The question is, will this have any effect? Will carriers stop shipping this stuff ? Will consumers care?

    My guess is no, they'll just try to hide it better in future.

    1. Re:Caught in a lie then. by Culture20 · · Score: 4, Insightful

      This to me sounds like it could be bordering on illegal

      Bordering? It might be legal federally, but if I recall correctly (not a lawyer), there are States where recording such data is a violation of wiretap unless both parties are aware of the recording. And such some people here on /. are pointing to contract clauses where "data necessary to the functioning of the network" or similar are spelled out and saying that people consented (and are thus aware, which is suspect in itself). But let's take this a step further. CarrierIQ says in plain English that they're not logging keystrokes. Any customer who knows about carrierIQ and has seen carrierIQ's statement has a reasonable expectation that "logging keystrokes" is not part of the data logging they're agreeing to. "Aha!" says the weasel lawyer "the ordinary people didn't know about carrierIQ! Only our execs knew it was installed on our phones." To which I say, "did carrierIQ misrepresent its logging nature to those execs?" if it did, then carrierIQ might be logging keystrokes between a user and the phone company when the phone company execs have a reasonable expectation that carrierIQ isn't doing that. Then carrierIQ is in trouble in two-party states.

  3. I have by Anonymous Coward · · Score: 2, Insightful

    Always been suspicious of the countless android apps that REQUIRE device permissions such as "full internet access", "read phone state and identity" etc...

    1. Re:I have by Chrisq · · Score: 4, Informative

      Always been suspicious of the countless android apps that REQUIRE device permissions such as "full internet access", "read phone state and identity" etc...

      As far as I can gather this is worse. It comes pre-installed by your carrier, you never grant it access to everything and there is no sign that it is installed.

    2. Re:I have by Fri13 · · Score: 5, Informative

      Then install Permission Denied application (you need root) what gives you possibility to rip those permissions off from application https://market.android.com/details?id=com.stericson.permissions.

      After selecting what permissions the app can have, you need to reboot to take it affect.
      And the other great application is Droidwall what is firewall (needs root as well) where you choose per application does it have access to WLAN or 3G internet connection. Great to limit some apps only to use WLAN instead 3G or vice versa.

    3. Re:I have by Catnaps · · Score: 3, Informative

      If you need root for these things, you may as well just grab a custom ROM to go along with it which has CIQ removed (well, most devs remove it anyway). I know my Sensation third-party ROM (ARHD 4.1.x) doesn't have CIQ anywhere in it, I've checked.
      After all, flashing a ROM after rooting is a really small step in terms of difficulty and then you're totally free of CIQ.

    4. Re:I have by daid303 · · Score: 5, Informative

      One of the latest (7.2 or something) CyanogenMOD versions allows you to revoke permissions on installed apps. Which is the main reason why I installed Cyanogen.

    5. Re:I have by Catnaps · · Score: 2

      My Legend had a locked bootloader, so did my Sensation. Emphasis on past tense, because you can unlock them quite easily with some help from XDA Devs. My Sensation was literally; "run batch file, wait 3 minutes and watch it reboot a few times, check bootloader: S-OFF. Done."

  4. Needs to be labeled as spyware by assemblerex · · Score: 4, Insightful

    Clearly that's what it is, it spies to enrich the company at your expense.

    1. Re:Needs to be labeled as spyware by PolygamousRanchKid+ · · Score: 4, Insightful

      . . . at your expense.

      So guess who pays for the transmission of all those logged clicks . . . ?

      . . . and you thought some other app was draining you battery and carrier account limit . . . ?

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  5. Conspiracy theories aside... by ruemere · · Score: 4, Insightful

    What software is actually affected? What phone models? What platforms? What applications?
    If it's just AT&T and its victims, well, it's their own private little hell. Otherwise, some facts would be nice.

    For now, (quoting from the article), phrase of "millions of Android, BlackBerry and Nokia phones" smacks of cheap propaganda and scaremongering.

    Regards,
    Ruemere

    1. Re:Conspiracy theories aside... by Fri13 · · Score: 5, Insightful

      Seems like none of phones sold in EU comes with this preinstalled.

      Think about it. EU would rip every carrier, phone manufacturer and software company in pieces if such privacy abusing would rise.
      Not even any end user license would protect those companies at all.

  6. What phones and providers to avoid? by aliquis · · Score: 2

    So, will someone set up a list for which products not to buy?

    If I get a phone here in Sweden which is just plain vanilla stock version will that contain the software or is it something the service providers install on "their own" phones?

    1. Re:What phones and providers to avoid? by xaxa · · Score: 2

      I don't see it on my UK stock (non-branded) Desire.

      Look in "All Applications" as explained by the video. I haven't checked with the debugger.

  7. CyanogenMod by monkeyhybrid · · Score: 4, Insightful

    FTA: "it cannot be turned off without rooting the phone and replacing the operating system"

    So even more reason to flash your droid with CyanogenMod or custom ROM of your choice.

    1. Re:CyanogenMod by Fri13 · · Score: 2

      By my opinion, every Android phone should be upgradable by the user in any country legally, when ever new ROM is released, from Google or from third party.
      After all, phone manufacturers and carriers are just selling hardware and services, not the software.

    2. Re:CyanogenMod by mea_culpa · · Score: 2

      It would be nice if smartphones were given the same level of respect that PCs get.
      Unlocked boot loaders, choice of operating systems, and more protection from illegal search and seizure from law enforcement.

    3. Re:CyanogenMod by MimeticLie · · Score: 3, Interesting

      Please don't reply that Android is open source, unless you can show me the sources for CIQ!!!

      Please don't reply that Linux is open source, unless you can show me the sources for Flash or Opera.

    4. Re:CyanogenMod by l3v1 · · Score: 3, Insightful

      Please don't reply that Android is open source, unless you can show me the sources for CIQ!!!

      Uhmm... how so? Android's openness has nothing to do with CIQ.

      --
      I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
    5. Re:CyanogenMod by Dorkmaster+Flek · · Score: 3, Insightful

      Indeed, it's precisely because of Android's openness that we can even find out about this kind of software, or at least make it a lot easier to find out about it.

      --
      I like to think of online DRM as something akin to a college -- you pay for lessons until you learn something.
    6. Re:CyanogenMod by gnud · · Score: 2

      Not to mention the compiler that was used to compile _your_ compiler - http://cm.bell-labs.com/who/ken/trust.html

  8. Credit card number exposure by SlashRAH · · Score: 5, Insightful

    When somebody installs a skimmer on an ATM or fuel pump, there are criminal penalties for (attempted) fraud. How is this software any different?

  9. is this on iphone too? by sunr2007 · · Score: 2

    would like to know whether apple/AT & T or apple/any other carriers do this on iphone too?

  10. Not PCI compliant by kooky45 · · Score: 5, Insightful

    I believe this rules out all Android devices with CarrerIQ agents from being used to handle payment card numbers. There's no obvious mention on CarrerIQ's website of PCI compliance or how they protect the user's data. It probably also contravenes SOX, HIPAA and and host of other industry regulations. Bye bye lots of commercial use of Android handsets, especially Blackberry.

    1. Re:Not PCI compliant by Dan+East · · Score: 4, Interesting

      And therein lies the solution to this problem. As soon as someone hacks into their database and steals a ton of credit card info, personal data, etc, there will be enough uproar and backlash to kill off CarrerIQ, and bite carriers like AT&T that preinstalled it.

      --
      Better known as 318230.
  11. May I suggest... by aug24 · · Score: 4, Interesting

    ...someone with skillz makes a freely installable CIQ clone that sends them back fake, randomly generated results.

    --
    You're only jealous cos the little penguins are talking to me.
  12. Re:Wow, a dumb troll by Anonymous Coward · · Score: 5, Funny

    GP's point was that CarrierIQ is as much part of Android as Flash or Opera is part of Linux. The fact that it runs on Android and that carriers install it on Android doesn't change that.

    How does it feel to fail even at basic reading comprehension skills?

  13. Re:Any other tricks? by shutdown+-p+now · · Score: 2

    He didn't demo it in the video, but there was one bit where he showed permission list for the app - and it basically owns the world. And yes, this includes recording audio. Whether it's actually using that permission for anything is an interesting question.

  14. But is the data actually transmitted anywhere? by Wyzard · · Score: 5, Interesting

    In this video, the researcher is looking at debug logs from the phone itself, not network traffic logs showing remote communication. He clearly shows that keystrokes and URLs are being passed to the IQ software running on the phone, but presents no evidence that the data is actually sent to anything outside of the phone.

    Has anyone determined what the IQ software does with all this information besides writing it to the debug logger? Is it actually sent somewhere, or saved to persistent storage on the phone? (I'm no Android expert, but I'm under the impression that debug messages are discarded when there's no debugger attached.)

    Having this software running in the background is sneaky and certainly makes spying more possible than it would be otherwise, but it's not necessarily the huge immediate privacy violation that everyone seems to be assuming it is.

    1. Re:But is the data actually transmitted anywhere? by Catnaps · · Score: 2

      Just because you don't have proof that the card skimmer on the local ATM isn't sending data back to its installers, doesn't mean it's not. It has the potential to, and it's designed to do exactly that- which should be enough for CIQ to be harpooned with all due haste.

  15. Absolutely illegal by Riskable · · Score: 5, Informative

    Some other folks were speculating that since you signed an agreement with your carrier that it somehow makes this legal. This is absolutely false. There are certain rights that you can sign away, certainly, but don't think of it like that. Think of it like, "What is Verizon doing with this data and how are they transporting it?"

    Here's a few laws and industry regulations they are violating (by recording all keystrokes) off the top of my head:

    1) The Payment Card Industry Data Security Standard (PCI DSS): If anyone ever (ever) enters credit card information into their phone (via an app, web page, whatever) that data must be protected according to the DSS (because all the carriers accept credit cards, that is). That means it must be encrypted in transit, when it is stored, and more importantly: certain information must *NOT* be stored (again, ever). For example, if a user enters the CVV2 from their card into an online form the carrier must ensure that this data does not get stored (good luck with THAT regex! hah!).

    2) Graham Leach Bliley Act (GLBA). Undoubtedly, personally identifiable financial information is being recorded, transported, and stored without the user's knowledge or consent (each transaction/event would need its own notice and agreement with the carrier). That could add up to literally MILLIONS of violations.

    3) Sarbanes Oxley: If they're recording this data they had better damned well keep an audit trail on it and be regularly disclosing that they're doing so to all their investors. They also must have documented controls & procedures and (likely) perform regular audits to ensure that said controls & procedures are being properly followed.

    4) They can be held liable for having knowledge of crimes but not reporting them.

    5) They can lose their common carrier status: Since they're now recording literally everything users do online they can be held (partially) accountable for what those users do. If you recorded the data you certainly could've audited it for fraudulent activity. "Have you been the victim of a crime that took place over a cell phone? Call the law offices of Sue & Win."

    6) There's probably a dozen laws that say you can't intercept and/or store information related to people's banking accounts and financial transactions (unless you're the bank that the customer is interacting with). These laws are the ones that should make the carriers quiver in their boots. Some of these were written specifically to deal with gangsters and organized crime and as such could land executives in prison (not that I think the U.S. Attourney General would prosecute since our government is sadly, "stupidly hard on individual crime but soft on corporate crime").

    7) Unless their contract specifically spells out that they're going to record every keystroke you enter into your phone they've opened themselves up to millions of lawsuits. If anyone ever wins one of these it will be game over for the carriers. "verizon" and "at&t" will likely become some of those "$50-per-click" Adwords on Google.

    8) If they're not using proper encryption of this data in transit and storage, the PCI DSS will be the least of their problems... That's criminal negligence right there. After hearing all the controls the Payment Card Industry requires of the carriers for something as simple as a credit card number what jury could be convinced of a defense such as, "We didn't know!"?!? I mean, seriously. Forget being fired. If someone knowingly decided it was a good idea to record all keystrokes they should go to prison. It is the penultimate example of why you don't put non-technical people in charge of making technical decisions.

    --
    -Riskable
    "Those who choose proprietary software will pay for their decision!"
    1. Re:Absolutely illegal by AB3A · · Score: 2

      Going a step further, there should be liability for those who collect this data: If the user downloads kiddie porn, they're now liable because they were able to know this and didn't act. If the User stalks someone and they do not report this to authorities, they should be held liable. If someone tweets messages that indicate suicidal tendencies and they take no action, they can be held liable.

      Collect this data at your peril. You want to know all about me? Fine. Now you become an accessory for everything I do wrong.

      --
      Nearly fifty percent of all graduates come from the bottom half of the class!
  16. Not exactly accurate... by djrbliss · · Score: 4, Interesting

    Disclaimer: I have thoroughly reverse engineered CarrierIQ's software.

    This issue has been blown out of proportion. CarrierIQ has hooks that respond to events triggered by keystrokes, web traffic, and SMS messages. It also makes the mistake of printing debugging output containing plaintext of some of this data, which is a pretty bad screwup. Additionally, there's no real reason CIQ should have hooks in those places in the first place.

    What they don't do is actually store any of this information and report it to your carrier (keep in mind I know this because I actually looked at the application). In terms of what's actually being stored, I've seen no evidence that CIQ is collecting anything more than what they have publicly claimed: anonymized metrics data. That doesn't mean users shouldn't be able to opt-out of this software, since it still represents a potential risk to privacy. But at this point, this whole thing has turned into a witch hunt.

    In short, there's a big difference between "look, it does something when I press a key!" and "it's storing all my keystrokes and sending them to my carrier!". This video demonstrates the first, but the second doesn't actually happen. They shouldn't be doing what they're doing, and users should be able to opt out, but this isn't nearly as evil as people are making it out to be.

  17. In Soviet America... by openfrog · · Score: 2

    ...capitalists spy on you.

  18. Two quibbles by alispguru · · Score: 2

    Apple develops the hardware, the OS, and the debugger - and it is all closed source.

    Most of iOS is open source.

    There could easily be something like CarrierIQ in the closed parts of iOS. However, it would not be useful to Apple unless it phoned home somehow, and that network activity is detectable whether or not the platform source is open.

    --

    To a Lisp hacker, XML is S-expressions in drag.