Android Dev Demonstrates CarrierIQ Phone Logging Software On Video

Token_Internet_Girl writes with a followup to last week's news about Android developer Trevor Eckhart, who was researching software from CarrierIQ, installed on millions of cellphones, that secretly logged a variety of user information — from button presses to text message contents to browsing data. CarrierIQ tried to silence Eckhart, but later backtracked. Now, Eckhart has posted a video demonstration of CarrierIQ's logging software. From the article: "The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim. ... The video shows the software logging Eckhart's online search of 'hello world.' That's despite Eckhart using the HTTPS version of Google, which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google. ...the video shows the software logging each number as Eckhart fingers the dialer. 'Every button you press in the dialer before you call,' he says on the video, 'it already gets sent off to the IQ application.'"

Can't someone sue the carriers?

There is an asymmetry in the system as it works right now. Which private customers have the will, time, and money to sue companies that illegally wiretap their customers? Isn't there anything that can be done against this? (Of, I'm talking about action against CarrierIQ but about action against the carriers that use their software.)

Re:Can't someone sue the carriers?

[fsckmnky]

companies that illegally wiretap their customers

Therein lies the rub. In order to use your cellphone/smartphone, you have to sign the carriers agreement, and in the carriers agreement, there is undoubtedly a clause where you give them permission to collect your data and use it as they see fit. This makes the data collection legal, not illegal, as you agreed to it.

Nothing short of privacy regulation specifically forbidding carriers to use this information, or at the very least, allowing you to specify that you would like your data to remain private, will prevent this practice from being standard, as the monetary incentive is to collect the data. Corporations have an obligation to protect and grow shareholder value, no matter how many advertisements they run claiming "We care about our customers."

Re:Can't someone sue the carriers?

[Theophany]

A contractual agreement to something deemed illegal does not overrule the law.

If a judge found the activity to be unlawful, which I suspect is where the core of the issue rests, then whether or not there was a contractual agreement is irrelevant. I see no reason for a carrier's data collection policy to include keylogging everything a customer does outside of extenuating circumstance (suspected terrorist or something).

Re:Can't someone sue the carriers?

[GPLHost-Thomas]

you have to sign the carriers agreement, and in the carriers agreement, there is undoubtedly a clause where you give them permission to collect your data and use it as they see fit

That would seem right, but only for the time of the contract. What if, as in the video, you have a phone which isn't bound to a contract anymore, and still spying on you?

Re:Can't someone sue the carriers?

[Serpents]

The EU finally admitted that nobody reads ToS and it's going to curb such practices.

Re:Can't someone sue the carriers?

[fsckmnky]

A contractual agreement to something deemed illegal does not overrule the law.

It is not illegal, for you to agree, to the carriers collection of the data, which is why regulation specifically making it illegal, or spelling out your rights, is required to stop it.

I see no reason for a carrier's data collection policy to include keylogging everything a customer does outside of extenuating circumstance (suspected terrorist or something).

Yes, you, like myself, see no reason "to allow" carriers to collect this data. That said, a carrier has "every incentive to collect" this data. It has commercial value. They can sell it to the government / police for investigative purposes, they can data mine it in order to find hidden value, and every bit of data sent can be counted towards your monthly usage cap, thereby, increasing the odds that you will run over and incur additional charges.

Please understand I am not arguing on behalf of carriers, merely attempting to point out the reality of the current environment. I don't own a smart phone, as I am aware that the reality of it, is that, I am paying to be spied on.

Re:Can't someone sue the carriers?

[fsckmnky]

Indeed. If the government began a program to spy on everyone domestically, it would undoubtedly cause a huge uproar, and likely be deemed unconstitutional ( at least I hope it would be deemed as such. )

But if companies collect the data, then the government can simply request the records, and pay the company a fee for retrieving them, as part of an "investigation."

Web search ... "what are you interested in ?"
Web analytics ... "what sites are you visiting ?"
Friends lists ... "who do you know / communicate with ?"
Mapping ... "where are you going ?"
GPS / wi-fi detection .... "where are you at right now ?"
SMS ... "what have you said to whom ?"

Welcome to the matrix. Good luck flushing yourself from it.

Re:Can't someone sue the carriers?

Carrier IQ DENIES that they are recording keystrokes. They deny this right now, on their website in a PDF, that is linked to right at the top of their home page:
"While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools."

So even if our agreement with the carrier permits logging/capturing of this data, it doesn't allow you to LIE about doing it. Their software clearly logs data. We don't know if it keeps that data or transmits it back to anyone. But the data is clearly being captured in some fashion as demonstrated by the video.

Re:Can't someone sue the carriers?

[Goaway]

So, a third party had to make this spy app for the carriers because Google was not spying enough on users for their taste. And your conclusion is that Google is evil.

Re:Can't someone sue the carriers?

[Maow]

doesn't mean that you're no longer under contract; you're still operating under the same terms as before except that you can cancel service at any time.

In the video, he explains he has a separate phone for development, without any mobile provider / SIM, which he also plays games on.

It was connected via Wifi. Every keystroke, HTTPS search, etc. was recorded and presumably uploaded to CarrierIQ or to ATT (or whomever).

His device is not of concern to any mobile operator.

That's a significant issue, and I doubt he'd be hard pressed to convince a lawyer to take it on.

(IANAL, etc.)

Caught in a lie then.

[Nursie]

That's just nasty. First try to silence the researcher, then try to deny what's going on when you've already been caught.

The question is, will this have any effect? Will carriers stop shipping this stuff ? Will consumers care?

My guess is no, they'll just try to hide it better in future.

Re:I have

[Fri13]

Then install Permission Denied application (you need root) what gives you possibility to rip those permissions off from application https://market.android.com/details?id=com.stericson.permissions.

After selecting what permissions the app can have, you need to reboot to take it affect.
And the other great application is Droidwall what is firewall (needs root as well) where you choose per application does it have access to WLAN or 3G internet connection. Great to limit some apps only to use WLAN instead 3G or vice versa.

Re:Conspiracy theories aside...

[Fri13]

Seems like none of phones sold in EU comes with this preinstalled.

Think about it. EU would rip every carrier, phone manufacturer and software company in pieces if such privacy abusing would rise.
Not even any end user license would protect those companies at all.

Credit card number exposure

[SlashRAH]

When somebody installs a skimmer on an ATM or fuel pump, there are criminal penalties for (attempted) fraud. How is this software any different?

Not PCI compliant

[kooky45]

I believe this rules out all Android devices with CarrerIQ agents from being used to handle payment card numbers. There's no obvious mention on CarrerIQ's website of PCI compliance or how they protect the user's data. It probably also contravenes SOX, HIPAA and and host of other industry regulations. Bye bye lots of commercial use of Android handsets, especially Blackberry.

Re:Wow, a dumb troll

GP's point was that CarrierIQ is as much part of Android as Flash or Opera is part of Linux. The fact that it runs on Android and that carriers install it on Android doesn't change that.

How does it feel to fail even at basic reading comprehension skills?

Re:I have

[daid303]

One of the latest (7.2 or something) CyanogenMOD versions allows you to revoke permissions on installed apps. Which is the main reason why I installed Cyanogen.

But is the data actually transmitted anywhere?

[Wyzard]

In this video, the researcher is looking at debug logs from the phone itself, not network traffic logs showing remote communication. He clearly shows that keystrokes and URLs are being passed to the IQ software running on the phone, but presents no evidence that the data is actually sent to anything outside of the phone.

Has anyone determined what the IQ software does with all this information besides writing it to the debug logger? Is it actually sent somewhere, or saved to persistent storage on the phone? (I'm no Android expert, but I'm under the impression that debug messages are discarded when there's no debugger attached.)

Having this software running in the background is sneaky and certainly makes spying more possible than it would be otherwise, but it's not necessarily the huge immediate privacy violation that everyone seems to be assuming it is.

Absolutely illegal

[Riskable]

Some other folks were speculating that since you signed an agreement with your carrier that it somehow makes this legal. This is absolutely false. There are certain rights that you can sign away, certainly, but don't think of it like that. Think of it like, "What is Verizon doing with this data and how are they transporting it?"

Here's a few laws and industry regulations they are violating (by recording all keystrokes) off the top of my head:

1) The Payment Card Industry Data Security Standard (PCI DSS): If anyone ever (ever) enters credit card information into their phone (via an app, web page, whatever) that data must be protected according to the DSS (because all the carriers accept credit cards, that is). That means it must be encrypted in transit, when it is stored, and more importantly: certain information must *NOT* be stored (again, ever). For example, if a user enters the CVV2 from their card into an online form the carrier must ensure that this data does not get stored (good luck with THAT regex! hah!).

2) Graham Leach Bliley Act (GLBA). Undoubtedly, personally identifiable financial information is being recorded, transported, and stored without the user's knowledge or consent (each transaction/event would need its own notice and agreement with the carrier). That could add up to literally MILLIONS of violations.

3) Sarbanes Oxley: If they're recording this data they had better damned well keep an audit trail on it and be regularly disclosing that they're doing so to all their investors. They also must have documented controls & procedures and (likely) perform regular audits to ensure that said controls & procedures are being properly followed.

4) They can be held liable for having knowledge of crimes but not reporting them.

5) They can lose their common carrier status: Since they're now recording literally everything users do online they can be held (partially) accountable for what those users do. If you recorded the data you certainly could've audited it for fraudulent activity. "Have you been the victim of a crime that took place over a cell phone? Call the law offices of Sue & Win."

6) There's probably a dozen laws that say you can't intercept and/or store information related to people's banking accounts and financial transactions (unless you're the bank that the customer is interacting with). These laws are the ones that should make the carriers quiver in their boots. Some of these were written specifically to deal with gangsters and organized crime and as such could land executives in prison (not that I think the U.S. Attourney General would prosecute since our government is sadly, "stupidly hard on individual crime but soft on corporate crime").

7) Unless their contract specifically spells out that they're going to record every keystroke you enter into your phone they've opened themselves up to millions of lawsuits. If anyone ever wins one of these it will be game over for the carriers. "verizon" and "at&t" will likely become some of those "$50-per-click" Adwords on Google.

8) If they're not using proper encryption of this data in transit and storage, the PCI DSS will be the least of their problems... That's criminal negligence right there. After hearing all the controls the Payment Card Industry requires of the carriers for something as simple as a credit card number what jury could be convinced of a defense such as, "We didn't know!"?!? I mean, seriously. Forget being fired. If someone knowingly decided it was a good idea to record all keystrokes they should go to prison. It is the penultimate example of why you don't put non-technical people in charge of making technical decisions.