Carrier IQ Software May Be in iOS, Too

New submitter Howard Beale writes with this excerpt from The Verge: "To date, the user tracking controversy surrounding Carrier IQ has focused primarily on Android, but today details are surfacing that the company also may have hooks into Apple's iOS. Well-known iPhone hacker Chpwn tweeted today that versions at least as recent as iPhone OS 3.1.3 contained references to Carrier IQ and later confirmed it's in all versions of iOS, including iOS 5." The details are still emerging; however, iPhone users will be happy to hear that while it's reported that the software is available to the OS, "the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default."

Re:First post

why do people make frivolous useless posts like this, grow up.

Why does this CarrierIQ stuff matter anyway?

Part of the agreement is to allow Apple and the cellular carrier to monitor and be able to diagnose problems. One has zero expectation of privacy anyway with a cell phone, so having software which is present as per a signed contract is to be expected.

Re:Why does this CarrierIQ stuff matter anyway?

It matters because what the contract allows is ambiguous at best and definitely does not cover all that CarrierIQ is capable of (what it is configured for on a given phone from a given carrier may be a different story). In fact, keystroke logging of text messages may be in violation of federal wiretap laws, particularly if the logging continues even when the phone is not connected to a cellular network.

Re:Why does this CarrierIQ stuff matter anyway?

[alen]

carriers and handset makers need the ability to monitor their networks for problem cell sites and areas of low to no signal as well diagnostics about the phone and any problem apps.

if you go for tech support it's not like the people magically know everything that is wrong with your phone. the diagnostics data is collected and analyzed. if you complain of dropped calls its important to know where they are occuring

Re:Why does this CarrierIQ stuff matter anyway?

[thisnamestoolong]

It is not, however, important for them to have the keystrokes that you enter into your phone before sending encrypted communications. There is NO WAY that this is not a violation of the law if it is not explicitly mentioned in the ToS, as keystroke logging could never be remotely construed as even remotely necessary for system diagnostics; its only purpose is the violation of privacy.

Re:Why does this CarrierIQ stuff matter anyway?

[Lucky75]

Of course, when Apple does it, it must be okay. If other maufacturers do, BURN THEM AT THE STAKE!

Re:Why does this CarrierIQ stuff matter anyway?

[penguinstorm]

When was the last time you got any useful technical support from a cell phone carrier? Those guys play a classic game of passing the buck, blaming your handset (which they didn't make) interference (which they can't control) and anything else that's not the service they provide.

The notion that some Level 42 World of Warcraft Paladin who spends his days providing tech support for a cell carrier:
1) Has access to any useful information that relates directly to your handset,
2) Has the analytical skills to determine its meaning without rolling a 20 sided die
is patently ridiculous. They'd at best have access to your current outstanding balance.

North Americans need to stop buying handsets from manufacturers: start buying unlocked, carrier independent handsets and you'll change the industry. As long as over 90% of us are committing to contracts that are longer than the average length of time your phone lasts, the oligarchy that is the North American cell phone industry can do whatever it wants.

Re:Why does this CarrierIQ stuff matter anyway?

Bullshit. I've NEVER had anyone get or reference any information from my phone when I've called tech support for an issue. My guess is no one has. Tech support is some basic troubleshooting (is the phone turned on, do you have a signal, have you rebooted it etc), the next step is to send it in or take it to a service center. This collected data is not used to support the end users at all. It is used to provide metrics to the carrier and your privacy is ignored.

Re:Why does this CarrierIQ stuff matter anyway?

[Culture20]

Part of the agreement is to allow Apple and the cellular carrier to monitor and be able to diagnose problems. One has zero expectation of privacy anyway with a cell phone, so having software which is present as per a signed contract is to be expected.

Keylogging my username and password for my https or ssh connections is definitely not part of the agreement as I understood it (and a valid contract is a meeting of the minds, not an evil trap full of gotchas), no any other data that I might be typing in to encrypted or even non encrypted sessions. Sure, I admit that the non encrypted sessions might be listened to by someone, but the expectation is that the someone in that scenario is not my phone provider using a tool the installed before I bought it.

Re:Why does this CarrierIQ stuff matter anyway?

We can't buy carrier independent handsets because all of our cellphone networks are incompatible. Sprint phones sometimes work on Verizon, Verizon phones never work on Sprint, neither of them work on GSM, and AT&T and TMobile, the two GSM carriers, have incompatible 3G networks. Don't get me started on "4G" and the half-dozen different things it's been redefined into meaning.

Also, for every carrier except TMo, the monthly price is just as high when you bring your own phone as it is when you take the carrier subsidy.

So, since buying your own phone doesn't make it portable across networks, and costs more money up front and the same amount per month, there's no point. That's why everyone takes the carrier phone and contract; it's not because we're all stupid, it's because it's the most cost effective solution in a shitty market.

Re:Why does this CarrierIQ stuff matter anyway?

But the carrier does not require software on the user end to detect these problems. Hell, having extra data thrown around the network is worse than using DPI or other means at the RADIUS to detect and correct issues in the dataflow.

-Your friendly neighborhood Telecom Network Fault Manager

Re:Why does this CarrierIQ stuff matter anyway?

[MartinSchou]

North Americans need to stop buying handsets from manufacturers: start buying unlocked, carrier independent handsets

And where will they get those, if not from the manufacturer? Obviously they can't buy carrier independent handsets from the carriers.

Or did you mean that they should stop buying phones from the carriers instead?

Re:Why does this CarrierIQ stuff matter anyway?

[Reverand+Dave]

That's what I was thinking. When this came out yesterday about HTC and RIM people went nuts on this forum about privacy, but when it comes out that Apple is doing it too, well it couldn't possibly be the benevolent apple overlords are doing something inappropriate. Hell, they are going to start touting it as a feature pretty soon.

Re:Why does this CarrierIQ stuff matter anyway?

[amicusNYCL]

carriers and handset makers need the ability to monitor their networks for problem cell sites and areas of low to no signal

First, handset makers don't have networks or cell sites. Second, why do carriers need to use my device to test their network, they don't have their own equipment to do that? And if my device is transmitting diagnostic data, why the hell are they charging me data fees to send them diagnostics? I should be charging them. The point is that they don't need to use my device to test their network. And if they're going to ask me to do that, they sure as hell better tell me and better give me a way to opt out. Neither of those happened when I bought my phone. iOS took the right path with specifically calling it diagnostic mode, and having it disabled by default. Sprint tries to hide it from me. That's not right.

as well diagnostics about the phone and any problem apps

Again, they don't *need* the ability to do that. It would be *nice* if they had it, and frankly if they asked me I might allow them. But since they try to sneak it in the backdoor now I simply don't trust them and it's finally pushed me to the point where I'm ready to install Cyanogenmod and get rid of their software altogether. So now they get nothing.

if you go for tech support it's not like the people magically know everything that is wrong with your phone.

Yeah, you're right, even with all the data my phone has been sending them they still don't know what's wrong with it. So why should I send the data to them?

if you complain of dropped calls its important to know where they are occuring

A diagnostic application specifically for monitoring dropped calls is completely different than the software that is actually being used. Dropped calls are just one aspect that they try to highlight to claim that the software is benevolent, and then they deny the ability to log keystrokes even when proof is shown that they are.

If the company is lying about what their capabilities are and what data they're collecting, then that's a major red flag. That's enough to get me to remove the software.

Re:Why does this CarrierIQ stuff matter anyway?

Great post. I don't condone this stuff at all. But buyers being wary is a big part of the solution. Cell phone contracts are loans. We borrow the phone subsidy and pay it back over time in our monthly payments. If we buy an unlocked phone outright we have the flexibility of leaving a bad provider. I know there are caveats, but the strategy dominates alternatives. If you need to borrow money for a phone, don't borrow it from the carrier!

Re:Why does this CarrierIQ stuff matter anyway?

[unencode200x]

Wouldn't this same logic apply to an ISP and your computer? Should they be able to install a key logger on your computer to "diagnose" connection issues? Isn't a smart phone a computer with a phone?

Re:Why does this CarrierIQ stuff matter anyway?

[shutdown+-p+now]

That's why everyone takes the carrier phone and contract; it's not because we're all stupid, it's because it's the most cost effective solution in a shitty market.

It depends on what you want to do with the phone. If you e.g. use it for tethering, the cost of buying an unlocked international version for full price recoups itself pretty quickly.

Also, it is possible to have 5-band 3G phones that work on both AT&T and T-Mo, so you can at least switch between those two. For example, Galaxy Nexus is 5-band HSPA 850/900/1700/1900/2100 - which covers both AT&T's 1900MHz, and T-Mo's 1700/2100 MHz.

Re:Why does this CarrierIQ stuff matter anyway?

[tixxit]

You can, you just can't do it naively. You'll need to do some research. Usually this involves looking at the product page and a quick google search for what networks your carrier supports. However, if you buy your phone without a plan, then chances are you can choose a carrier that supports your phone, rather than a phone that supports your carrier. My phone is unlocked and works on AT&T when I'm in the states, so I got a prepaid plan with AT&T :-)

Re:Why does this CarrierIQ stuff matter anyway?

[TheLink]

Car analogy: just because you buy a car on hire-purchase doesn't mean the bank gets to do whatever they want with the car. Even if you don't pay up, there are still certain limitations to what they can do to repossess the car.

And even if you rent a car, the rental agency doesn't get to do whatever they like with the car once you've rented it out.

IANAL but I suspect recording conversations in the car and recording videos of the interior would generally not be legal unless you get permission from the court.

Re:Why does this CarrierIQ stuff matter anyway?

[ColdWetDog]

Think about it. CarrierIQ is a front for the NSA.

I hope you didn't post that from your cell phone.

Re:Why does this CarrierIQ stuff matter anyway?

[tsa]

Even if he/she didn't, his/her ISP knows he/she posted that.

Re:Why does this CarrierIQ stuff matter anyway?

[tsa]

That's why it's handy to have a government that actually cares about its citizens, like we have in Europe.

Re:Why does this CarrierIQ stuff matter anyway?

[Mia'cova]

To be fair, tethering service costs the same one way or the other. It's just easier to 'steal' that service when your phone is unlocked. Not that I in any way, shape, or form support charging for tethering separately from phone data, it's how the contracts are written.

Re:Why does this CarrierIQ stuff matter anyway?

[Mia'cova]

And by unlocked, I really mean jailbreaked..

Re:Why does this CarrierIQ stuff matter anyway?

[shutdown+-p+now]

As far as I'm concerned, "tethering service" amounts to enabling the appropriate widget on operator-supplied phones where it's otherwise disabled, so I don't need it.

Yes, I know that their contract says something else. I very much doubt that those provisions are meaningfully enforceable in court - any more so that the requirement to, say, only hold the phone in your right hand (and never in the left one!) when making a call through operator's network. Reason being, tethering is something I do to the device, not to the network, and they can't enforce what I do to my device - it's mine. They can legally enforce what goes over their network - i.e. packet content - but that's a different thing, and is not how they define tethering in contract in any case.

Pragmatically, since I use it to tether an Android tablet through an Android phone, good luck catching that.

easy to turn off as well

[alen]

everything it collects is viewable to the user and you can turn it off in settings > general > about > diagnostics & usage

Re:easy to turn off as well

[Bill_the_Engineer]

That's better than my HTC phone which allows you to do the following in settings > About Phone > Tell HTC > Network preference > "When data connection is available" or "When Wi-Fi or cable connection is available".

I can turn off "Tell HTC" but apparently that is only for error reports relating to HTC Sense.

No other options for turning off network diagnostics are available.

Re:easy to turn off as well

Confirmed that with tcpdump have you? Apple have hidden / obfuscated this nasty software hoping no one would notice it. That's pretty damning in itself, even if they have the decency to give it a config screen (assuming the screen is real and the code honors the settings).

Re:easy to turn off as well

[alen]

the log files are right there in the phone and you can easily see them

this sounds like the issue with the touchpad where HP had the diagnostics set to max and the performance was crap. except in this case the manufacturers are using twice the RAM and twice the MHz CPU's for android phones compared to the iphone to make up for the overhead of this software.

most of the tech geeks creaming themselves over specs are idiots because they don't realize it's just for crap like this

Re:easy to turn off as well

[Lunix+Nutcase]

That's funny cause I don't remember Goggle, HTC, etc. telling anyone about this on Android phones. Oh, I forgot. Apple baaaaaad!

Re:easy to turn off as well

[alen]

since android is open you can just compile the code yourself and install a copy of the OS on your phone without this

Re:easy to turn off as well

And what about the end users who dont know how to do that??? Is Android just for tech geeks only?

Re:easy to turn off as well

[ugen]

Not on iOS 4.3.3 - there is no such option here. So I can't turn off this "mis-feature" on my iPhone.

It seems Apple added it in iOS 5, and did so only after the public became somewhat aware of their diagnostic collection practices, as a measure of damage control perhaps?

Re:easy to turn off as well

[19thNervousBreakdown]

I have a ... friend ... who regularly posts on Facebook every hyperbolic Apple story he can find. Apple might as well have mailed a tanto, a bottle of Jack Daniels, and a picture of Steve Jobs banging their S.O. to every Foxconn employee, Apple was the only company that kept cell tower logs which they only kept so they could place you at the scene of a murder if you decided not to buy the next iPhone, and the iPhone 4's antenna gave such poor reception because it wasn't an antenna at all, it was a transmitter designed to beam cancer and full-blown AIDS directly into your brain. Oh, and of course the ever-so-classy "I'm glad he's dead" post.

He's also espoused the benefits of his Android phone without the slightest sense of irony, as if an Android zealot is any less annoying than an Apple zealot. So, all in all, the thunderous silence from his Facebook feed is ... mmm, delicious.

I don't understand people who don't understand that the corporate system is pure evil by design, and that literally any public corporation (and 95% of the privately-owned ones) would slice open your belly and play jump-rope with your guts if it made them 0.01% more than giving you a new house and ending world hunger would. Apple might have played nice (relatively), but if that is so, it sure as hell isn't because they respect us and believe that every person is entitled to privacy.

Re:easy to turn off as well

[Yvan256]

Nothing in iOS 3.1.3 either, which is the highest version that can be used with a first-generation iPod touch.

Re:easy to turn off as well

[Bill_the_Engineer]

since android is open you can just compile the code yourself and install a copy of the OS on your phone without this

Yea lets bring out the "android is open" mantra. Conveniently leave out the rooting part, the waiting for Google to decide to release the source code, and waiting for groups like CyanogenMod to make a rom image for your phone.

I don't have an iPhone but if I did I could easily say I can do [insert special neat trick] with my iPhone after jail breaking it. There really isn't much of a real difference for people with the initiative. Especially if you depend on other people to do the real work for you.

Let's keep the discussion on phones as delivered to the average consumer.

Now take a deep breath and rationally think this through. Which is easier (for anyone)?

1. Turning off the settings using the menus within the iPhone, or

2. Downloading a rom image from CynamodGen, rooting your Android phone, and reinstalling Google binaries and reseting all your user settings.

Re:easy to turn off as well

Yes! Only tech geeks should be allowed to touch any computing tech at all and everyone else should be restricteted to POTS and telegraph.

Re:easy to turn off as well

[NatasRevol]

It is kind of neat to look at the logs, but it's amazing to me that my phone is writing logs every 5-10 minutes. It takes me 2 minutes to scroll to the bottom of the LIST of logs, which are only about two weeks of data.

Re:easy to turn off as well

[Desler]

Thanks for showing how much of a fanboi you are. Hiding software with keyloggers is okay cause Android is open source! But Apple baaaad because they have it disabled by default and easily turned off by one settings switch rather than having to reflash your phone.

Re:easy to turn off as well

[Fahrvergnuugen]

Anyone who wanted to know what is collected and sent only had to click the "About Diagnostics & Privacy" link in iOS directly under neath the switch you have to hit to turn it on:

Apple would like your help to improve the quality and performance of its products and services. Your device can automatically collect diagnostic and usage information and send it to Apple for analysis — but only with your explicit consent.

Diagnostic and usage information may include details about hardware and operating system specifications, performance statistics, and data about how you use your device and applications. None of the collected information identifies you personally. Personal data is either not logged at all or is removed from any reports before they’re sent to Apple. You can review the information by going to Settings, tapping General, tapping About and looking under Diagnostics & Usage.

If you have consented to provide Apple with this information, and you have Location Services turned on, the location of your device may also be sent to help Apple analyze wireless or cellular performance issues (for example, the strength or weakness of a cellular signal in a particular location). This diagnostic location data may include the location of your device once per day, or the location where a call ends. You may choose to turn off Location Services for Diagnostics at any time. To do so, open Settings, tap Location Services, tap System Services and turn off the Diagnostics switch.

You may also choose to turn off Diagnostics altogether. To do so, open Settings, tap General, tap About and choose “Don’t Send” under Diagnostics & Usage.

To help Apple’s partners and third-party developers improve their apps, products and services designed for use with Apple products, Apple may provide such partners or developers with a subset of diagnostic information that is relevant to that partner’s or developer’s app, product or service, as long as the diagnostic information is aggregated or in a form that does not personally identify you.

For more information, see Apple’s Privacy Policy at www.apple.com/privacy

Re:easy to turn off as well

[CharlyFoxtrot]

It appears to be disabled by default so you're probably OK. Follow chpwn's blog and twitter for more info.

Re:easy to turn off as well

[rsmith-mac]

CarrierIQ is relatively new, and Apple is rather conservative. As surprised as I am that they have it in the first place, it's unlikely that it's in anything pre-dating iOS 5.

Re:easy to turn off as well

[tobiasly]

I don't have an iPhone but if I did I could easily say I can do [insert special neat trick] with my iPhone after jail breaking it. There really isn't much of a real difference for people with the initiative. Especially if you depend on other people to do the real work for you.

Um, please define "special neat trick". If you think there "isn't much of a real difference for people with the initiative" then you obviously haven't participated in the Android custom ROM community. iPhone has nothing like it, and the reason for that is that Android is open-source.

Is it a perfect, fully open community driven hacker's utopia? No, but I blame the carriers for that much more than Google. Sure they keep their crown jewels (Gmail, Maps etc.) closed and proprietary but they've certainly raised the bar for openness on mass-market consumer devices and they deserve credit for that.

Now take a deep breath and rationally think this through. Which is easier (for anyone)?

1. Turning off the settings using the menus within the iPhone, or

2. Downloading a rom image from CynamodGen, rooting your Android phone, and reinstalling Google binaries and reseting all your user settings.

Can you tell me with any certainty that Option 1 absolutely prevents any such data from being sent to the carriers or CarrierIQ?

And you forgot Option 3, which is to vote with your wallet and buy a Nexus device, which doesn't have Carrier IQ, which Google releases the source code for (including all binary drivers where source isn't available) as soon as, or (with 4.0) before the device launches, and is the most open, hacker friendly mass-market consumer mobile device in the US today.

Re:easy to turn off as well

[coinreturn]

Your first generation iPod touch is not a phone, and hence would not have CarrierIQ.

Re:easy to turn off as well

[Culture20]

That's funny cause I don't remember Goggle, HTC, etc. telling anyone about this on Android phones. Oh, I forgot. Apple baaaaaad!

Google never installed it. HTC neither. Sprint, AT&T, etc. did. In Apple's case Apple is the one that installed it (if it's there).

Re:easy to turn off as well

[ceoyoyo]

That's performance reports to Apple, not to the carrier. Carrier IQ is something else. Although reports are that it's disabled (and the code has been neglected) in iOS.

Re:easy to turn off as well

[ceoyoyo]

You lose the built in apps like Google maps when you do that too, don't you?

Re:easy to turn off as well

[sociocapitalist]

I'm on IOS version 4.3.3 and I don't have this option. Might be that I bought it in France where presumably the EU laws on data collection might be providing some level of protection.

Re:easy to turn off as well

since android is open you can just compile the code yourself and install a copy of the OS on your phone without this

News: $ANDROID_DEVICE has $PRIVACY_FLAW, made worse by $UNPATCHED_BUG and $CARRIER_BACKDOOR.
iOS Fanboys: lol android sux!
Android Fanboys: That's okay, because Android is Open(TM), and anyone can easily fix this by installing their own version of Android.
iOS Fanboys: yeah, but no normal person will do that, also you're nerds.

News: iPhone has $PRIVACY_FLAW, made worse by $UNPATCHED_BUG and $APPLE_BACKDOOR
Android Fanboya: lol apple sux!
iOS Fanboys: That's okay, because Apple will fix this in the next version, and anyone else can fix this by jailbreaking
Android fanboys: yeah, but users shouldn't deal with evil companies, also you're clueless sheep.

Re:easy to turn off as well

[Sloppy]

Let's keep the discussion on phones as delivered to the average consumer.

Why? What a boring discussion that would be. But ok, here it is: users, carriers, and manufacturers have conflicting interests, and software which serves counter-user interests is almost always bundled with the hardware, which is why average consumers never end up with good phones.

There. Now that discussion is over, let's move the discussion on how to get a good phone, i.e. how to avoid being an average consumer.

CyanogenMod is one way to get a pretty decent one. Buying an out-of-production and doomed Maemo is another. Anyone know of any other options?

Re:easy to turn off as well

Nope. In fact, there are even some devices where you get Google's apps, most importantly Market, only with custom ROM, if vendor has decided to exclude them from install.

Re:easy to turn off as well

The are all available from many sources to re-install.

Re:easy to turn off as well

[Bill_the_Engineer]

Um, please define "special neat trick". If you think there "isn't much of a real difference for people with the initiative" then you obviously haven't participated in the Android custom ROM community. iPhone has nothing like it, and the reason for that is that Android is open-source.

I own an Android phone. I actually been using CyangenMod for years now. I admit I don't use CyangenMod on my newest Android phone since I haven't had a compelling reason to continue to waste my valuable time playing on my phone. I do still have my unlocked and rooted old phone. So short answer is yes I have participated in the Android custom ROM community and for a very long time at that. A clue may have been that I knew the steps involved in my previous comment.

BTW, my iPhone friends say that there is a thriving jail break community on the iPhone and supposedly you can do things on a jail broken phone that can't be done on a locked iPhone. One being installing GPL licensed software as binaries from a third party software provider. I remember seeing him use his jail broken phone as a WiFi hotspot before it was sanctioned on both iOS and Android.

Honestly you could Google the iPhone jail break community and know about as much as I do, since I don't know much myself.

Can you tell me with any certainty that Option 1 absolutely prevents any such data from being sent to the carriers or CarrierIQ?

I'd say yes. Only because the iPhone is the most scrutinized (and vilified) device on the web and it hasn't been discovered so far. Also if you RTFA you'd see that the author reported that it's off by default.

And you forgot Option 3, which is to vote with your wallet and buy a Nexus device, which doesn't have Carrier IQ, which Google releases the source code for (including all binary drivers where source isn't available) as soon as, or (with 4.0) before the device launches, and is the most open, hacker friendly mass-market consumer mobile device in the US today.

Option 3 wasn't really that appealing of an option. I had the opportunity to by a Google phone when I upgraded. Google dropped the ball and couldn't decide if they would really support it. I really don't know if I could depend on Google to support their current Nexus phone for long. My reasoning being that if I had to pay full unsubsidized price for a phone then the manufacturer could at least humor me and pretend that they would support the phone. Maybe Google learned their lesson which may explain why they are purchasing Motorola so someone who knows what they are doing could make and support their phones.

Re:easy to turn off as well

[Bill_the_Engineer]

Anyone know of any other options?

Of course, OpenMoko!

Re:easy to turn off as well

[He+Who+Waits]

No, you can't turn it off. You can (un)check a box that determines whether the collected data is transmitted to Apple (or so it says). But the data is still collected, and is still visible to the carrier. Also, (at least some of) the data is still visible to anyone in momentary possession of the iPhone.

Re:easy to turn off as well

[amicusNYCL]

I'd say yes. Only because the iPhone is the most scrutinized (and vilified) device on the web and it hasn't been discovered so far. Also if you RTFA you'd see that the author reported that it's off by default.

Just as a point of fact, this cannot be proven without someone doing the type of analysis that Trevor Eckhart did with Android. It's not enough to assume that turning it off disables all communication, or assuming that someone else would have found it. You need a verifiable negative, that someone specifically looked for it and discovered that it is not transmitting.

Re:easy to turn off as well

[amicusNYCL]

CarrierIQ is relatively new, and Apple is rather conservative.

CarrierIQ is 2 years older than iOS.

As surprised as I am that they have it in the first place, it's unlikely that it's in anything pre-dating iOS 5.

Oh, it's *unlikely*. Well, call off the search then, nothing to see here.

Re:easy to turn off as well

[Kazymyr]

Speaking of Motorola, so far I haven't heard of one single phone from them that has CIQ on it. My Motorola XPRT certainly doesn't have it (I used Trevor's tools to check) nor does the Verizon equivalent (Droid Pro). More power to them.

Re:easy to turn off as well

[The+Moof]

It still has online connectivity, hence could have CarrierIQ.

Re:easy to turn off as well

How about this neat trick? Get a Windows Phone, don't even have CIQ to worry about.

Re:easy to turn off as well

[chrb]

There is a big difference: Google does not provide this software as part of their Android distribution, and Google has not installed it on any of the Nexus phones that they sell. For Android, Carrier IQ is third party software that has been installed by some carriers. That makes the carriers responsible, not Google. It is not even clear that Google knew what third-party software carriers ship on their phones. The carriers have no legal responsibility to impart this information to Google, just like if you sell a pre-installed Ubuntu system you don't have to contact Ubuntu and let them know what you installed.

In contrast, Apple appears to have shipped this software as part of iOS, and secretly installed it on millions of iPhones without telling anyone. For a long time Apple fanboys have argued that because Apple is in control of the iPhone, and not the carriers, then it is impossible for this kind of crap to happen. It seems the impossible just became reality.

It's worth noting that whilst Carrier IQ is running for all iOS versions, uploading the logs appears to be turned off by default on iOS3/4, but it is not known how or when it gets turned on. On iOS 5, Carrier IQ log uploads are controlled by the “Submit Logs to Apple” option on iOS setup. Most users would probably trust Apple with their logs, right? So most iOS 5 users probably have Carrier IQ uploading their logs right now.

Re:easy to turn off as well

[Belial6]

No. They just become apps that get installed instead of being pre-installed. So, while you 'technically' lose the "built in" part, you don't lose the apps.

Re:easy to turn off as well

[shutdown+-p+now]

The problem here is that HTC phone that was previously dissected also has a similar disclaimer, and a switch to disable logging... the problem is that CarrierIQ software actually does more than what that disclaimer described, and was not fully affected by any switches. In particular, it's a keylogger.

Of course, it's a big question whether CarrierIQ in iOS is anything like the one in Android. But, at this point, the fact that the name is even present at all is a big red flag.

Re:easy to turn off as well

[tobiasly]

BTW, my iPhone friends say that there is a thriving jail break community on the iPhone and supposedly you can do things on a jail broken phone that can't be done on a locked iPhone. One being installing GPL licensed software as binaries from a third party software provider. I remember seeing him use his jail broken phone as a WiFi hotspot before it was sanctioned on both iOS and Android.

Honestly you could Google the iPhone jail break community and know about as much as I do, since I don't know much myself.

There's a HUGE difference between the iPhone "jailbreak community" and the Android custom ROM community. Yes I assumed you knew the Android option existed but if you think jailbreaking an iPhone and loading custom apps is any comparison then I guess we're not speaking the same language.

I'm sure someone has managed to get some open source OS running on the iPhone but it's nowhere near the community or user base of CM and other custom ROMs. And I know that CM running on my Nexus S (or even stock Nexus S ROM for that matter) isn't running CarrierIQ because all of the relevant user-land apps are open source.

I'd say yes. Only because the iPhone is the most scrutinized (and vilified) device on the web and it hasn't been discovered so far. Also if you RTFA you'd see that the author reported that it's off by default.

Yes I did RTFA and it's peppered with words like "may only be active when the iPhone is in diagnostic mode" and "does not appear to actually send any information" and "the local logs on iOS seem to store much less information". So no the author isn't sure of anything either since he's just getting started and the fact that this was just discovered on iPhone and the scope of what it does is just now coming to light (custom Android ROM devs first discovered CIQ about a year ago) means you can't say with any certainty that it's not doing anything nefarious.

Option 3 wasn't really that appealing of an option. I had the opportunity to by a Google phone when I upgraded. Google dropped the ball and couldn't decide if they would really support it. I really don't know if I could depend on Google to support their current Nexus phone for long. My reasoning being that if I had to pay full unsubsidized price for a phone then the manufacturer could at least humor me and pretend that they would support the phone.

You do raise good points about Google's less-than-ideal support so I can't really argue with that statement except to say again it's a matter of priorities. I bought an unsubsidized Nexus S with over a year left on my Epic 4G contract and a big part of that decision was the discovery of Carrier IQ by the Epic custom ROM devs. I decided then and there I'd never buy any device that wasn't a pure "Google Experience" device. I'm not faulting anyone for having different priorities than I do, but I'm really glad that Google has given me that choice by the way of a first class open source mobile operating system. So yes the "android is open mantra" is a pretty big deal to myself and many others, it's not just lip service.

Re:easy to turn off as well

What the fuck? Just because it's Apple you can't bring yourself to believe that they might've given the user actual CONTROL over something that by default *isn't* there on Android?

Yes. That config screen is real (Settings -> General -> About -> Diagnostics & Usage)

Yes, the default is *turned off*.

And YES MOTHERFUCKER, I did confirm it with tcpdump - before you even asked. Some of us iPhone fans happen to be Linux devs too and know our way around a TCP/IP stack.

Re:easy to turn off as well

So just because carriers install it on their Android phones, we have to assume that Apple goes through the trouble of writing it into their OS (which they do), that they include a configuration screen for it (which they do), but somehow forgets to include the code that honors those settings? Why do we have to assume that for Apple devices? Apple devices are different because they don't appear to let the carriers install (and remove configuration options for) whatever crap they want to on Apple devices, whereas Google specifically does allow carriers to do this by the nature of developing Android as open source code.

Your argument is the same as fundamentalists who believe in god and conspiracy theorists - that because you cannot disprove it that you have to believe it is true. It is just as fallacious when you say it as when others say it in a different context. You are not applying common sense to this situation; please stop.

Re:easy to turn off as well

[Bill_the_Engineer]

There's a HUGE difference between the iPhone "jailbreak community" and the Android custom ROM community. Yes I assumed you knew the Android option existed but if you think jailbreaking an iPhone and loading custom apps is any comparison then I guess we're not speaking the same language.

I'm sure someone has managed to get some open source OS running on the iPhone but it's nowhere near the community or user base of CM and other custom ROMs.

I guess we are talking different languages. I said nothing about installing another OS on the iPhone nor do I believe that all that can be accomplished requires me to insert custom code into the kernel. I know that people are able to run daemons on the iPhone with upgraded privileges (root), since there was a default password exploit on the sshd service that the original jail break script installed years ago. I assume that most of the really "novel" software on the iPhone require a jail broken phone solely for the elevated privileges that are required to access some services/API which the stock iPhone won't allow.

Most of *my* modifications to the linux kernel involved making a driver for a new piece of hardware. I did have an occasion where I needed to patch the linux kernel for pulse per second synchronization and there was a flaw in the LinuxPPS code that triggered on both rising and falling edges of the PPS being fed on a serial port which required my correction. That said if I did need to something at the Kernel level on the iPhone, since iOS is based on the Mach kernel, I assume I could write a kernel extension for a jail broken phone. I assume since I don't have access to a jail broken phone, but I'm sure someone around here has experience. Anyway, I assume the iPhone hardware is well supported by iOS so I really don't know why you place so much value on the OS being open source for *this* particular part of the conversation.

And I know that CM running on my Nexus S (or even stock Nexus S ROM for that matter) isn't running CarrierIQ because all of the relevant user-land apps are open source.

You only assume that CarrierIQ isn't running unless you actually view the source code yourself. You also assume that a CarrierIQ like function doesn't exist in the phone's firmware that isn't explicitly covered by an open source license.

So yes the "android is open mantra" is a pretty big deal to myself and many others, it's not just lip service.

This is where we really differ. I support open source (professionally on occasion) yet my support doesn't rise to the level of zealotry. I do not disqualify any product solely on the basis that it's less open then other options.

Re:easy to turn off as well

If they include an option to turn it off, and the option is off by default, how is that "secretly" installing it on their phones? That's pretty blatant if you ask me.

Re:easy to turn off as well

[thetoadwarrior]

Yeah because that is a real option for so many people. I just saw some middle aged women arguing over whose rom image pwnz the most.

Re:easy to turn off as well

The defy does have it...

Re:easy to turn off as well

[TJamieson]

Replying to remove accidental troll mod.

Re:easy to turn off as well

The i* may not be the most publicly scrutinized device. It took someone about 4 years to realize that the GPS information was freely available to every app (i.e. a public file) and that it was being transferred between devices.

And remember your reward for pointing out issues: you get banned from the store.

Add those two up and presto, obfuscation is easy. Deleting (or not bothering to) logs is easy to do, especially with software already on the phone.

Re:easy to turn off as well

Eat your words: http://blog.chpwn.com/post/13572216737?fe250de0

Yes, you can disable it, and the log collection stops.

Re:easy to turn off as well

everything it collects is viewable to the user and you can turn it off in settings > general > about > diagnostics & usage

Oh no you can't! Slashdotters told us it was not on the iPhone last week even though those pesky journalists said it was.

Re:easy to turn off as well

[Rennt]

WiFi? No GSM or 3G means no carrier, means no CarrierIQ.

Re:easy to turn off as well

[mjwx]

Speaking of Motorola, so far I haven't heard of one single phone from them that has CIQ on it. My Motorola XPRT certainly doesn't have it (I used Trevor's tools to check) nor does the Verizon equivalent (Droid Pro). More power to them.

Why are people blaming the manufacturers, its the telco's that are doing this. The name CarrierIQ should give it away.

I've tested a Vodafone AU branded Desire HD a Telstra (AU) branded Galaxy S as well as an unbranded Galaxy S II, guess which of them had CarrierIQ.

None did, none at all.

If this has appeared on IOS, it's pretty damning evidence that either Apple doesn't have as much control over their product as people think or are complicit in this act. Android being open is a pretty watertight defence for Google and HTC/Moto/Samsung et al.

Re:easy to turn off as well

Back when there was no Android I bought an iPhone, and jailbroke it and used it as a wifi hotspot, which was very convenient

But as soon as I could I bought an Android, gave that phone to a friend and breathed a sigh of relief. Why?

I was so sick of constantly fighting Apple for control of my phone. My GF plugs the thing into her computer, iTunes says 'update?' and I leap across yelling 'nooooooo' knowing that if she clicks the wrong button I have a very good chance of having my phone bricked forever.

On Android you don't even need to have root to install third party apps, the market is open.

Cyanogenmod and like can have the latest source code in a readable fashion without having to reverse engineer it, that's open

And the intent system means without rooting or using a ROM you can replace the phone app, SMS app, camera, any app you like with something off of a market. Like a jigsaw puzzle just lift it out and replace it. Can you replace the iOS phone? Hell no, it's art man, don't touch that! This isn't your phone, we're just giving you the priviledge of paying to borrow it

Android is 1000x more open no matter which way you slice it. I do admire Apple for gaining a slightly better negotiation position against the carriers, but we as consumers also have the ability to simply not use the carriers we don't like.

Re:easy to turn off as well

Buy the hardware from a carrier, then flash the phone with software directly from the manufacturer. I used benchmarks and found a 3x speed increasing moving from the Optus (Australia) Galaxy S version of Android to the generic (no carrier tarnished) European version of the Galaxy S from Samsung.

3 times, wow

If only Google would make some way to easily get OTA updates from any source we choose, with the manufacturer's securely built in as options. Just click update > from samsung (or add repository > update from cyanogenmod), we'd finally demote these carriers once again to being just the simple infrastructure providers they are

Re:easy to turn off as well

[AmiMoJo]

Bullshit. You can test your claim easily by installed Cyanogen and comparing it to the manufacturer's performance. I tried it on a Galaxy S and the performance was the same as with the Samsung firmware. I also tested a HTC Hero where it made a big difference, but that turned out to be due to the Sense UI in the official ROM because when I installed a Cyanogen mod with Sense performance was the same.

When comparing the iPhone to an Android phone you have to remember to turn off all the features that the iPhone doesn't have. Unfortunately that is almost impossible because Android is designed to multitask and run apps in the background, but you can get close.

Turns out more people seem to have having speed problems with the iPhone than Android phones: http://www.google.com/trends?q=android+slow%2C+iphone+slow

Keep in mind that Android outsells the iPhone considerably so the difference is not because the iPhone is more popular.

Re:easy to turn off as well

[AmiMoJo]

Yea lets bring out the "android is open" mantra. Conveniently leave out the rooting part, the waiting for Google to decide to release the source code, and waiting for groups like CyanogenMod to make a rom image for your phone.

I don't have an iPhone but if I did I could easily say I can do [insert special neat trick] with my iPhone after jail breaking it. There really isn't much of a real difference for people with the initiative. Especially if you depend on other people to do the real work for you.

I only buy electronics that I know I can hack. I was burned too many times but manufacturers abandoning products a year or two after release or banning features that I wanted because they conflicted with their business model. When I own something, I really own it and can do whatever the hell I like with it. I don't want to in a cold war with the manufacturer, fighting their attempts to lock me out of my own hardware.

Google's own phones have unlocked bootloaders so you can load any OS you like, add custom kernels or OS patches etc. You actually own the phone. I got my current Galaxy S because it was a slightly better deal than the Google version (Nexus S) and easily hackable. I would never consider buying an iPhone because jailbreaking is not nearly as good as Android root access or custom ROMs, and whenever there is an update you need to do it again where as on Android you just upgrade with a pre-rooted official ROM from xda-developers (assuming the update even breaks root access, I find that usually they don't and I just re-run the rooting app after the update, plus they don't normally overwrite the custom bootloader either).

The same goes for Sony and Nokia. Either I own it 100% or you can keep it. For me Android being open is vitally important.

Re:easy to turn off as well

[tobiasly]

I guess we are talking different languages. I said nothing about installing another OS on the iPhone nor do I believe that all that can be accomplished requires me to insert custom code into the kernel.

I guess the reason I make the distinction in this case is that, when we're talking about something like Carrier IQ that is buried deep into many libraries throughout the system (see this post from March in XDA: http://forum.xda-developers.com/showpost.php?p=11763089&postcount=3 ), performing a complete OS wipe and installing an open-source OS from the ground up gives me a much better assurance that no one is tracking what I'm doing. (Yes, aside from the issues you mention such as chipset and firmware code).

But yes, for many/most cases that users actually care about, gaining root privileges is "enough".

So yes the "android is open mantra" is a pretty big deal to myself and many others, it's not just lip service.

This is where we really differ. I support open source (professionally on occasion) yet my support doesn't rise to the level of zealotry. I do not disqualify any product solely on the basis that it's less open then other options.

Thanks for your contributions to the kernel. But please don't assume that support of openness is "zealotry". Myself and many others are very pragmatic about this and realize there are many places where it doesn't make sense or isn't feasible. If you read comments from the CM devs they aren't on some Free Software crusade, they just enjoy hacking their phones and having a (more) open platform to do that on makes a big difference. I don't care that the GPS or 4G drivers on my Nexus are proprietary binary blobs as long as they're supported by Google and they work well.

But when this is a device that basically holds all the most personal details of my life, and we see stories every day about Carrier IQ and shopping malls tracking cell phone users and everyone else who wants to know more about me than I want them to, you bet I'm gonna support more open devices and support the companies that promote them. Yes there's a lot of zealotry out there but in this particular case it's very relevant.

Re:easy to turn off as well

[Bill_the_Engineer]

But please don't assume that support of openness is "zealotry".

l didn't mean to make that assumption about you in particular. It was a knee-jerk reaction caused by prolong exposure with eager enthusiasts.

If you read comments from the CM devs they aren't on some Free Software crusade, they just enjoy hacking their phones and having a (more) open platform to do that on makes a big difference. I don't care that the GPS or 4G drivers on my Nexus are proprietary binary blobs as long as they're supported by Google and they work well.

Then we have more in common than I gave you credit for.

But when this is a device that basically holds all the most personal details of my life, and we see stories every day about Carrier IQ and shopping malls tracking cell phone users and everyone else who wants to know more about me than I want them to, you bet I'm gonna support more open devices and support the companies that promote them. Yes there's a lot of zealotry out there but in this particular case it's very relevant.

To Apple's credit they are the most up front company that I have dealt with. They always make their positions known to the customer up front and their customer service is excellent at least it has been my experience so far. Apple faced legal repercussions from the collection of WiFi data last year and I would believe that they take privacy issues a little more seriously than my phone carrier.

As for CarrierIQ, I don't really think the phone OS matters much. The CarrierIQ service within the smart phone only serves to provide usage patterns to your phone provider when you are out of their network coverage area or using WiFi. They still have most of the information available from towers and I am suspicious about their radio firmware which is not open sourced. My phone carrier offers a $10/month subscription service using a third party vendor that allows me to track all my phones regardless of type (They support my Samsung, Nokia, and Motorola handsets that are NOT smart phones).

To clarify my position: I agree that the Android OS being open source does provide some protection from tracking services running at the OS level. However it isn't fail safe because the carrier has other avenues to get most of the same information from your phone, and not all crucial parts of you phone is open sourced (e.g. Radio Firmware). I also believe that iOS isn't necessarily unsafe from not being open sourced. The iPhone customers do place a lot of trust in Apple. Apple knows this and understands the financial repercussions of violating that trust. Apple will not risk hurting its cash cow.

Handset Or Carrier?

Is this software specific to various handsets or is it specific to the carrier?

So far it has seemed to me that this guy is using Sprint and thier phones seem to have it. But, people on AT&T are reporting that their phones do not have it.

Does anyone know for sure?

Re:Handset Or Carrier?

I used to work in the EU for a US phone manufacturer (starts with an 'M'), and mid-2009, integrating CIQ became a mandatory requirement for products that were to be bought by AT&T. This was the first time a carrier asked for this, and at the time, the requested info came mainly from the modem side (signal levels, dropped calls stats, network conditions and so on). Carriers use CIQ-logged info to monitor the health of their network and spot potential problem areas. I would say that this is more of a carrier-thing, and not specific to one handset or another.

I don't know if the list of required info kept growing or who asked for application-side info like Google searches and text messages' content, though...

(Posting anon because I don't know what laws/contracts I am potentially breaking...)

Re:Handset Or Carrier?

And you can be sure the carrier broke more laws in the EU than anywhere else with regards to CIQ tracking.

Re:Handset Or Carrier?

(Posting anon because I don't know what laws/contracts I am potentially breaking...)

I hope you're not posting from a mobile phone. ;)

How did the software get on an iDevice?

[dotancohen]

Aren't we told that Apple's walled garden would prevent non-sanctioned applications from running or even being installed? Does that mean that Apple is complicit in installing Carrier IQ?

Re:How did the software get on an iDevice?

[broken_chaos]

Does that mean that Apple is complicit in installing Carrier IQ?

Yes. It was potentially something they were told to do by carriers, but Apple has had a habit of telling anyone that went against their worldview to fuck off, so I imagine it at least doesn't conflict with their intents.

Re:How did the software get on an iDevice?

[alen]

apple has to somehow support their products. cheaper to license software than write it yourself from scratch

Re:How did the software get on an iDevice?

Aren't we told that Apple's walled garden would prevent non-sanctioned applications from running or even being installed? Does that mean that Apple is complicit in installing Carrier IQ?

Nice troll mod. Some Apple fanboi has modpoints I see. He is blind and ignorant as well.

Re:What!?!

-1 goatse

Re:What!?!

[alphamax]

Do not click the link, it is evil.

Reassuring?

[jc42]

"the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default."

This is supposed to be reassuring? How many people will ever read about this? And how long until it's turned on by default? Or perhaps turned on by a remote message.

I've found it useful as an example for people who don't understand why we need free/open software. This story simply means that if you use your phone to access anything that is protected by a password (or PIN or whatever), that little hidden bit of software is making a copy of your login, password, account numbers, etc., and sending it off to some site that you know nothing about. Whoever has that information can then get into your account and do as they like with it. I've seen a lot of worried looks, and I know a number of people who have held off on the idea of using their phone to access their bank accounts as a result of this information.

I try to get the idea across that, as long as there's any software that's not freely available to us software geeks ("hackers" to the media), so that we can study it and expose such little nasties, nobody's information or accounts or identities can be considered safe. This sort of software can and does send all your private information to some unknown strangers.

Re:Reassuring?

[Lunix+Nutcase]

Because we all know it's impossible to hide such things like trojans in foss without anyone noticing for months on end, right? Oh wait...

Re:Reassuring?

[twiddler69]

I'm sure most people know that every bit of their life is tracked. With all the technology that exists, the government knows more about you than you know about yourself.

Re:Reassuring?

[rayd75]

I've found it useful as an example for people who don't understand why we need free/open software. ...

You might want to re-think that after reading the article, including its updates. Ironically, the (closed, walled garden) Apple version appears to send only diagnostic data that could be conceivably used for legitimate troubleshooting of dropped calls and the like whereas the (free, open) Android version is more akin to a rootkit, complete with backdoor and key logger.

Re:Reassuring?

CarrierIQ on iOS has no ability to monitor text input. It's nothing like on Android, and this article is alarmist bullshit

Re:Reassuring?

[RyuuzakiTetsuya]

When you activate an iOS device, it prompts you if you want to send this data. Further more, if you go into the device settings, and look at the diagnostics, it shows you all the files it's storing and what exactly it's reporting.

Granted, it could be doing something else behind the scenes, but this is more than what you're getting with the Android Carrier IQ(As someone pointed out on The Talk Show, a great oxymoron) installs.

Re:Reassuring?

[CharlyFoxtrot]

This is supposed to be reassuring? How many people will ever read about this? And how long until it's turned on by default? Or perhaps turned on by a remote message.

On the latest version of iOS, on the welcome screen on first boot it explicitly asks you if you want to turn on the sending of diagnostics and stuff like location services. This was Apple's response to the privacy kerfuffle after the location tracking thing. Yes I am disappointed it's even in there but Apple is doing the right thing here by disabling it by default.

I've found it useful as an example for people who don't understand why we need free/open software. This story simply means that if you use your phone to access anything that is protected by a password (or PIN or whatever), that little hidden bit of software is making a copy of your login, password, account numbers, etc., and sending it off to some site that you know nothing about. Whoever has that information can then get into your account and do as they like with it. I've seen a lot of worried looks, and I know a number of people who have held off on the idea of using their phone to access their bank accounts as a result of this information.

CERT Advisory CA-2002-24 Trojan Horse OpenSSH Distribution

Re:Reassuring?

[DeadCatX2]

I can put CyanogenMod on my Android handset. I can load ROMs based on carrier firmware that has CIQ removed.

Thanks to Open Source Software, I have this choice.

Re:Reassuring?

[rayd75]

I can put CyanogenMod on my Android handset. I can load ROMs based on carrier firmware that has CIQ removed.

Thanks to Open Source Software, I have this choice.

Agreed... but you represent maybe a couple percent of total Android users in regard to your ability and will to do that. My son tells me that Android runs great on his first gen iPhone... so I guess Android provides the same benefit to similarly-minded Apple users. The remaining ones are stuck with a "Automatically Send / Don't Send" radio button. What do the other 98% of Android device owners have?

Re:Reassuring?

[Cogneato]

Does your mom have this choice? I know mine would have no clue. The most tech-savvy of the population aren't the ones we should be concerned about. The people that this affects the most are the ones that receive a device that is set to log their keystrokes and never really know to ask about it.

The open source community, of which I am part of, expresses the benefits of using of open source software, but when something like this negatively affects the masses, their answer is always one that is not readily known and/or available to the masses. The simple fact is that secret default key logging in inexcusable in any consumer software, open source or not. For those that really care about promoting the use of their favorite software, instead of making excuses for it or offering complicated fixes, you should be raising holy hell.

Re:Reassuring?

[bananaquackmoo]

You might want to re-think what you said. How would we even KNOW about Carrier IQ if Android wasn't open enough to find out?

Re:Reassuring?

Yep... This is not an open / closed argument although it's trending toward one. It's about Google saying to the carriers "Here's our masterpiece.... rape away." The end result is phones running an unrecognizable OS due to skinning, running a crap-ton of bloatware, and shipping with remote key loggers installed. Say what you will about Apple's model, but their users' experience is what Apple wanted to be; not what the carriers demanded.

Re:Reassuring?

[rayd75]

You might want to re-think what you said. How would we even KNOW about Carrier IQ if Android wasn't open enough to find out?

Um, by reading the "diagnostic and logging" screen that pops-up during the initial configuration of my phone? By looking at the logged data in the settings menu? The only thing that we've learned today is that the diagnostics and logging system in iOS is vaguely-tied to CarrierIQ. It's not been a secret that it's there and there's no evidence that it does anything more than what it discloses to every new user. Yesterday, it didn't have a name. Today, it does.

Re:Reassuring?

Is it obligatory for shills to include "Say what you will about $company_name" in their posts?

shipping with remote key loggers installed

Yes, Apple doesn't leave it to carriers, they prefer to install it themselves. "For better integration with system and control of user experience".

Re:Reassuring?

[sociocapitalist]

...Android version is more akin to a rootkit, complete with backdoor and key logger.

Has this been conclusively determined? References?

Re:Reassuring?

[Tom]

If anything, this demonstrates why Free Software alone is not the answer. In this case, the closed-source iOS is actually respecting your privacy more than the Open Source Android.

You still think that code is the answer, but it isn't. Dennis Richie demonstrated long ago how even access to the full source doesn't make you safe. As long as there is a part in the chain that you don't control, you can be fucked over.

This is a place where actually the legal solution is simpler, easier and more reliable than the technical one. Pass a couple good laws (the "good" part is where our current incompetend corrupt breed of wannabe-politicians are challenged) and enforce them. Sure, it doesn't give you the same 100% security that an EAL7 solution with explicit privacy specifications would - but it's not SciFi and it will work good enough for practical purposes the same way that making murder illegal doesn't prevent it completely, but well enough that in most of the civilized world where the rule of law works, people don't give the extremely remote possibility of being murdered a thought.

Re:Reassuring?

[jc42]

Does your mom have this choice? I know mine would have no clue.

Similarly with mine. But this is perhaps best answered with the canonical auto analogy: My mom also wouldn't have a clue about her car's transmission. Does that mean that transmissions should be "closed" systems that can't be worked on by independent experts (both professional and amateur)?

Saying that something should be "open" doesn't imply that we think that everyone is expected to hack at it themselves. It means that people who don't (care to) know about the details can hire someone who does know. That way people can get their gadgets' problems diagnosed and fixed. Without this, diagnosis and repair can only be done by the manufacturer's people. Many corporations have a history of hiding known problems even when people are dying from them.

If your only choice is to take it to the dealer, you've just been set up as an easy mark. And when it comes to the low-level details of comm devices, you've been set up to have your identity stolen and your bank accounts emptied. You only defense against this is to insist that your stuff (whose innards you don't care about) be open to investigation by people other than the ones who sold it to you.

Actually, the auto analogy applies there pretty well, too. Lots of large organizations have their own auto/truck maintenance & repair departments. They don't buy vehicles without shop manuals, because they want their own people to do the repairs. This isn't saying that everyone who buys a vehicle should have a shop manual and do their own repairs. It's just saying that you'd be a fool to buy a vehicle for which the shop manuals aren't available. Without shop manuals, a vehicle generally doesn't sell well to large organizations who can afford their own staff of experts.

(Though this analogy does have its limits. There are a few high-end extremely expensive cars whose buyers always have work done by a dealer's specialized mechanics. This might apply to super-computers, too. But in those cases, the specialized mechanics still have all the manuals they need to work on the low-level components. And such cars aren't mass-market products.)

Re:Reassuring?

[jc42]

CarrierIQ on iOS has no ability to monitor text input.

Um, how exactly do we know this? Because someone at Apple said so?

No, really; if there's a way to verify this claim, I'd like to read about it. Where can we find the proof of the above statement? Not just an assertion, but a way of verifying that it can't happen on iOS.

And it'd be useful to have a guaranteed way of verifying it after an upgrade. Computer vendors do have a history of adding new "features" in upgrades; that's part of what upgrades are for.

The judicious approach would be to not believe any security-related assertions without independent verification . It's not clear how this might be done with binary-only "locked" software.

Re:Reassuring?

Apple has for years included "diagnostic" tools that send back information on Macs. They're always opt-in and are easy to disable later. The same is true here. I don't see why they would change that by making it opt-out instead, since that's just the sort of bad publicity that they don't need, and they likely already have a large enough sample size from those who do opt-in to make any relevant decisions based on the data available (iOS 5 prompts the user during setup/upgrade regarding whether they want to opt-in or not).

Plus, keep in mind that Apple's customer is the end user, whereas the customer for many of these other companies is the carrier, a third-party advertiser, or some other entity that wants access to the user's information. It's in Apple's best interests to not piss of their users, since their users are their customers.

Re:Reassuring?

[chrb]

the (free, open) Android version is more akin to a rootkit

Carrier IQ is not free or open. The post you responded to was arguing that closed source is more difficult to analyse, which is clearly true. If Carrier IQ were open source, we would have known about it years ago, and we wouldn't need to reverse engineer it to figure out what, when and how it's doing what it does, and under what conditions the logs get transferred to remote servers, etc.

I would also argue that, as much as we dislike Carrier IQ, it isn't really a rootkit - the software itself makes no effort to hide its presence, which is one of the defining characteristics of a rootkit. Also, you say that the Android version has a "backdoor" - could you provide a reference for this? As far as I can see, this is not actually true, as it doesn't enable any secret authentication-bypassing remote access (which would be the very definition of a backdoor).

Re:Reassuring?

[izomiac]

Why yes, we should trust CarrierIQ at their word for what their software does and does not do. Being closed source makes it quite difficult to verify their claims, and just recently they were caught trying to silence a researcher, then lying about key-logging. Doing the latter is probably a direct violation of federal law and several state laws. So, clearly, they are a bastion of trustworthiness.

Re:Reassuring?

[rayd75]

the (free, open) Android version is more akin to a rootkit

Carrier IQ is not free or open. The post you responded to was arguing that closed source is more difficult to analyse, which is clearly true. If Carrier IQ were open source, we would have known about it years ago, and we wouldn't need to reverse engineer it to figure out what, when and how it's doing what it does, and under what conditions the logs get transferred to remote servers, etc.

I would also argue that, as much as we dislike Carrier IQ, it isn't really a rootkit - the software itself makes no effort to hide its presence, which is one of the defining characteristics of a rootkit. Also, you say that the Android version has a "backdoor" - could you provide a reference for this? As far as I can see, this is not actually true, as it doesn't enable any secret authentication-bypassing remote access (which would be the very definition of a backdoor).

You're right and though the discussion was leaning that way, I didn't actually mean to take a position on open versus closed. No, the software in question doesn't technically meet the definition of a rootkit but I maintain that it's "akin" to one. It is not part of Android as released by Google, and although it doesn't alter APIs to hide itself (such as removing itself from process lists or filesystem calls), it's not an application that shows-up in the launcher, nor do users have any meaningful control over it. A backdoor provides a means for bypassing access control... and this software, as it's been seen on many Android devices, is a secret means of accessing data stored on or passed by (even over SSL) potentially PIN-secured, filesystem-encryped devices. It doesn't seem to be remotely initiated so maybe it's not a backdoor so much as a back window. They can't come in but they can stand outside and see everything you do.

Re:Reassuring?

[Smurf]

CarrierIQ on iOS has no ability to monitor text input.

Um, how exactly do we know this? Because someone at Apple said so?

Apple? No, not Apple. It was Chpwn, the same hacker who found the Carrier IQ software on iOS in the first place.

From his blog post, linked to in TFA (emphasis his, not mine):

Importantly, it does not appear the daemon has any access or communication with the UI layer, where text entry is done. I am reasonably sure it has no access to typed text, web history, passwords, browsing history, or text messages, and as such is not sending any of this data remotely.

Re:Reassuring?

[rayd75]

Why yes, we should trust CarrierIQ at their word for what their software does and does not do. Being closed source makes it quite difficult to verify their claims ...

True, the closed-source nature limits third party evaluation to sniffing LAN traffic. I'll be interested to hear more as the digging continues. As of now, all I've seen is that there are "references" to CarrierIQ in iOS. Lots of people seem to be making a leap that CarrierIQ's software is running on iOS. It's possible, but it doesn't seem likely for the company that completely shut-down the possibility of carrier-mandated apps on their phones.

Re:Reassuring?

[thetoadwarrior]

Wow another homo who thinks that something being open source means it's perfect because obviously there are millions of people checking the code at any given minute. Open source is an exceptionally good thing but open source != safety. Perhaps it can mean that things will get fixed sooner than closed source but knowing something will be fixed in two days rather than 2 months is no good to someone who, for example, loses their CC details due to a security flaw.

Re:Reassuring?

Can you show me this prompt? I can easily find Google's Location Consent (back when the GPS issue was discovered) Or are is it buried in the Eula?

Last I heard, you were "selling" your location on i devices, and the only way to Opt Out was to visit some random website that you were told about in paragraph 39, subsection 34, sentence 4. (not the real number, lol)

Re:Reassuring?

[exomondo]

If anything, this demonstrates why Free Software alone is not the answer. In this case, the closed-source iOS is actually respecting your privacy more than the Open Source Android.

No, that's obviously false because CarrierIQ is not a part of Android, which is precisely the reason it is not present in all Android devices. It is installed on the device alongside Android by some handset manufacturers. This should be pretty obvious even if you aren't familiar with the software in question given that it is the handset manufacturers (that don't make Android) that are embroiled in this and not Google (who do make Android).

Re:Reassuring?

[Tom]

That it's only some Android devices is true. But it doesn't change the point. Open Source doesn't protect you against crap like this.

Re:Reassuring?

[exomondo]

That it's only some Android devices is true.

Which is why the idea that In this case, the closed-source iOS is actually respecting your privacy more than the Open Source Android is just rubbish since CarrierIQ is completely separate to Android.

But it doesn't change the point. Open Source doesn't protect you against crap like this.

Of course not, that's obvious, running an open source program on windows won't protect you from a rootkit, just like running an open source android version on a device that also includes some proprietary software won't protect you from anything malicious that proprietary software does.

Re:Reassuring?

[Techman83]

But the question is, would Carrier IQ have been found if it wasn't for Android being open and how long before Apple decided that they wanted to collect more data? Open Source doesn't give you automatic protection, however eventually someone will stumble upon something and go "hrm, this is weird, I wonder what it is".

I'm pretty sure there are already some _good_ laws to prevent these kind of privacy invasions, how are those working out in this case? These big companies only respect the laws that they think can't get away with. When they get busted and a class action is started, they go through the motions and hand out a few vouchers stating "Sorry, we messed up", then continuing doing what they can get away with.

Re:Reassuring?

[Tom]

But the question is, would Carrier IQ have been found if it wasn't for Android being open and how long before Apple decided that they wanted to collect more data?

That's two questions and they are entirely seperate.

Yes, Carrier IQ would've been "found". It's been found on iOS and BlackBerry, too, you know? iOS, despite being closed source, has been taken apart ever since it was first released.

The "enough eyes" assumption is an assumption. We have seen time and time again that it doesn't hold true, because on the very specific parts of some obscure code, there simply aren't that many eyes that take a look.

I'm pretty sure there are already some _good_ laws to prevent these kind of privacy invasions, how are those working out in this case? These big companies only respect the laws that they think can't get away with. When they get busted and a class action is started, they go through the motions and hand out a few vouchers stating "Sorry, we messed up", then continuing doing what they can get away with.

Then the laws aren't good, or are not enforced well. Simple as that.

We have a few good laws on the books over here in Germany. Enforcement, however, is not so stellar. In theory, something like Carrier IQ (with the keystroke logging) could carry a fine of up to â25,000 per case, which means per customer that was spied upon. Yes, we're talking about sums that would bancrupt a carrier. That's how it needs to be, otherwise they could shrug it off.

But the district attorneys are part of the political machine and won't risk the bad press of having a few thousand jobs lost. Basically, when you're a company you can get away with anything, simply by making sure that if they harm you many "innocents" would suffer.

Re:Reassuring?

[RyuuzakiTetsuya]

sure.

Angry Birds

[LoverOfJoy]

In other news, hackers have discovered that the game, Angry Birds, mysteriously turns on a setting called "DiagnosticsAllowed".

Re:Angry Birds

[coinreturn]

Pulled that one out of your ass, now didn't you? Apps do not have access to system-level settings like that. Yes, I know that. I am an iOS developer.

Re:Angry Birds

[Pope]

The original Angry Birds asks for Location events, you can see it in the Settings. Why does a single player game need that info?

Re:Angry Birds

The original Angry Birds asks for Location events, you can see it in the Settings. Why does a single player game need that info?

In app advertising was my thought. Also, spatial analytics would help them on the merchandising side of the house ("Ah, it's really popular in this small Iowa town...We need make sure those folks can buy our stuffed animals.")

But then, I'm not particularly conspiratorially minded.

Re:Angry Birds

[amicusNYCL]

How long as CarrierIQ been part of iOS?

Re:Angry Birds

[coinreturn]

It could be that it uses location-based leaderboards. I noticed that Flight Control shows your high score in comparison to people near you. I'm not advocating such a strange feature, just noticing it.

Re:Angry Birds

You're also a pathetically pedantic fuckhead. How do people like you survive in the real world?

Re:Angry Birds

You have no sense of humor. Yes, I know that. I can detect a fun nazi at 100 paces.

Jeeze man, it was a joke.

Re:Angry Birds

[Bucky24]

It's a joke, cupcake (note the score:5, Funny). Calm down.

Re:Angry Birds

[coinreturn]

It wasn't moderated yet when I replied.

Re:Angry Birds

How would we know the humor if not for the /. mod system!

Bad news: you've picked up a hitch-hiking murderer

[Rogerborg]

Good news: last time you looked, he was still sitting in the back and hadn't stabbed you yet.

Doesn't seem to log much

Here's my "diagnostic log" or at least one of them:

deviceId: "aac0e3b1805c47f85e759c5d............"
isAnonymous: true
deviceConfigId: 101
triggerTime: 1320879763561
triggerId: 72014
profileId: 1012
investigationId: 0
bluetoothServiceDisconnectionResult {
timestamp: 1320879561
deviceOUI: "\00\066="
service: 8
result: 104981
}

seems a bit less intrusive than the one demoed yesterday.

Re:Doesn't seem to log much

[CharlyFoxtrot]

seems a bit less intrusive than the one demoed yesterday.

Seems so :

"Importantly, it does not appear the daemon has any access or communication with the UI layer, where text entry is done. I am reasonably sure it has no access to typed text, web history, passwords, browsing history, or text messages, and as such is not sending any of this data remotely."

Why would Apple need something like this...

[Assmasher]

...when they wrote iOS? Weird.

I can understand it being found on Android devices since individual phone companies (who are absolute sh** at making software - personal experience) would want to avoid doing it themselves, but Apple?

Re:Why would Apple need something like this...

Apple doesn't need it. Hint: it's in the product's name. The carriers want it.

Re:Why would Apple need something like this...

[Assmasher]

Hint - Apple doesn't let carriers put things on its phones...

Re:Why would Apple need something like this...

What on earth makes you think that? They don't let Carriers put visible apps on the phone. background processes are a completely different story.

Re:Why would Apple need something like this...

Hint - That's why Apple put CarrierIQ on their phones for them.

Re:Why would Apple need something like this...

[alteran]

This is flamebait but the parent isn't? Give me a break.

The above post made a legitimate point-- Apple is ALONE among the handset manufacturers in putting this crapware on their phone. We know this for many reasons, not least because Apple explicitly says they don't allow carriers to mitigate the Apple experience. It's possible some of the other manufacturers have done this, but since the carriers have the ability to do this themselves on the other platforms, it makes a lot of sense that they put this on when they put all their other junk on.

On the flip side, CIQ appears less nefarious on iOS and is certainly easier to disable. I can't believe I've got to root and mod my Samsung Vibrant to get this crapware off it.

Re:Why would Apple need something like this...

[Bucky24]

I highly doubt that Apple would allow the carriers to dictate what is on the phone. If they did it would be filled with crapware like most Android devices.

Re:Why would Apple need something like this...

Hint - What you think doesn't matter, IT HAPPENED, the REALITY is that Apple agreed with AT&T to put it on it's phone.

Re:Why would Apple need something like this...

[mjwx]

Hint - Apple doesn't let carriers put things on its phones...

Nope, Apple does it for them. Hence why they can charge you for tethering. Apple made it possible for carriers to remotely control that feature and enforce it by ensuring no tethering applications are persona non grata from the app store and any other source of applications are denied to Iphone users. Even if I buy an Iphone outright and unlocked, carriers still have this functionality.

Personally, I'd rather have the carriers control the phone because it means I can easily gain the same level of control not to mention being able to buy a stock standard phone outright that is already completely beyond their control.

Re:Why would Apple need something like this...

[Assmasher]

You're missing my point. Why would Apple need a 3rd party software maker to create controls/logging/diagnostic software for an operating system that it writes?

Also doesn't record UI/keypress info

[Dixie_Flatline]

Not only is it off by default, apparently it's only allowed to access information at a layer that doesn't give away the farm. It's not recording your keypresses, the sites you visit (which apparently the HTC version does even if you're on WiFi) or anything else that's possibly a significant security risk. Supposedly, it really does act just as it's claimed to in the press releases.

(I'm aware that I use 'apparently' and 'supposedly'; I have no concrete info that I've tested myself, this is just what I've read today.)

Android

[Spad]

Interestingly, it looks like the "pure" Android phones (i.e the Nexus line) don't ship with CarrierIQ

Re:Android

[CharlyFoxtrot]

Neither does Windows 7 (source.)

Re:Android

[Lucky75]

Google already has all your information. It's evil companies like Samsung that don't.

Re:Android

[Beriaru]

Not only "pure" Android. I have a LG Optimus 3D (the equivalent of the Thrill 4G) and it doesn't have any traces of Carrier IQ. As far as I know, it's only confirmed in HTC and Samsung devices.

Re:Android

[Bill+Dimm]

Neither does Windows 7 (source.)

Wow, Windows Phone 7 is so insignificant that they wouldn't even port Carrier IQ to it? ;-)

Re:Android

[Joao]

My T-Mobile HTC G2 doesn't have it either.

Re:Android

[xaxa]

Neither did my un-branded Android phone bought in the UK, or my friends Orange-branded Android also bought in the UK.

It sounds like this is something added by American carriers.

Re:Android

I just checked my AT&T Samsung Galaxy S2. No CarrierIQ crap.

Re:Android

[shutdown+-p+now]

It's called CarrierIQ for a reason. It's put there by carriers, and even then only when the customer protection laws of the country they reside in allow them to get away with that without any significant punishment.

Nexus devices and Xoom, even when sold by American carriers, have all software on them in exactly the way Google tells them to have it. Which is to say, stock Android + drivers for the specific hardware being used. So either buy that, or buy unlocked international versions.

Re:Bad news: you've picked up a hitch-hiking murde

Unless you have an Android phone, in which case, he's already stabbing you every time you turn a corner.

"Evil" Setting

[TC+Wilcox]

I for one appreciate that Apple has decided to make sure their "Evil" setting is turned off by default for the time being.

Re:What!?!

[Kyusaku+Natsume]

There should be a way to block all the accounts of this troll or to report him to /. editors, apparently he created a thousand of these accounts.

Who can turn it on? That's what matters.

[Kamiza+Ikioi]

The question is, can a government agency or anyone else call up Apple or a carrier and have them remotely activate CarrierIQ on the iPhone?

I don't care if it's "off by default". I care if it's "controlled by the user". There's a clear and concise distinction, and Apple's track record does not lead me to believe that Apple doesn't have absolute control to remotely activate this or any other setting at their discretion. Even if they were unable to before, they may have added that remote capability since they've lost several phones before.

Re:Who can turn it on? That's what matters.

[gnasher719]

The question is, can a government agency or anyone else call up Apple or a carrier and have them remotely activate CarrierIQ on the iPhone?

Apple wanted to provide carriers with some means of diagnosing certain faults, and did that. They are not telling you exactly what they do, but diagnostics will only be turned on if you want to. Quite possible that if you had problems with your phone, and called your carrier for support, they might ask you to turn this software on - so they can diagnose this problem.

If Apple wanted to spy on you, you wouldn't notice. Same as with this idiotic outrage about location data stored on your phone: That data is cached information coming from Apple's servers. If they wanted to keep track of your location, they would record the info on their servers, and you wouldn't notice.

Re:Who can turn it on? That's what matters.

[Fahrvergnuugen]

It wouldn't matter if they did because the version in iOS is completely anonymized.

Re:Who can turn it on? That's what matters.

[Assmasher]

You damn skippy!

Slashdot Anti Apple Bias

[Robert+Gadling]

Now that CarrierIQ is also found on the iPhone (albeit in a harmless version), this is now considered Slashdot news. As long as only Android was affected it was apparently not considered newsworthy.

Re:Slashdot Anti Apple Bias

[Lucky75]

Err...hold your pitchforking. It was posted on ./ about two weeks ago and was a big story.

Re:Slashdot Anti Apple Bias

[justcauseisjustthat]

see "Android Dev Demonstrates CarrierIQ Phone Logging Software On Video"

Re:Slashdot Anti Apple Bias

[NotSanguine]

Geez, Robert! This took less than five seconds.

So, are you trolling or are you just too lazy to type "CarrierIQ" into the search bar?

Sigh!

For those who are gunshy about clicking links here (is that a Goatse I hear?), just search Slashdot for CarrierIQ

Re:Slashdot Anti Apple Bias

[xaxa]

It was on the front page yesterday: http://yro.slashdot.org/story/11/11/30/0423256/android-dev-demonstrates-carrieriq-phone-logging-software-on-video

CarrierIQ is a requirement of certain operators

[rwwyatt]

It is actually required to be integrated for all devices for certain carriers (this includes Data Cards).

Re:What!?!

[NatasRevol]

Every link to evenweb.com is goatse.

The more you know...

Re:Bad news: you've picked up a hitch-hiking murde

iPhone? Your stuck with the Axe Murderer in a Turtle Neck... that will sue you for copying the way he drives BEFORE he kills you.

Android? With a little looking and forethought, you can replace the "Angry Backstabbing Murderer" with a "cute blonde". You can even tweak the Blonde to have bigger boobs if you want.

On Android... you are only stuck with the "Murderer" if you are too lazy to replace him... or too dumb to know how to get into his mind and convince him otherwise. (Or stupid enough to drive a car with OnStar where you don't control the locks).

Sure... the Blonde might be the sweetest thing since sliced bread... or she might be a gold digger... but you still have to option to replace her or replace parts of her you don't like.

Can DiagnosticsAllowed be turn on remotely?

So the carrier can turn it on/off at will? Or worse a criminal or overzealous news reporter pretending to be the carrier?

Democracy isn't practical without privacy, so this is a big deal.

Re:Can DiagnosticsAllowed be turn on remotely?

[LDAPMAN]

No, the carrier cannot turn it on remotely. Theoretically Apple could turn it on with an OS update but then they would get excoriated in this forum and others. The data they are collecting is harmless and they allow you to turn it off completely. They also let you see the data.

What I see on my phone is:
1. Reports on connection strength and radio parameters
2. Reports on low memory conditions and whats running when they happen
3. Application crash reports. These may be sent to the app developer so the app can be fixed.

Note that if you click the link at the bottom of the Diagnostics control screen they provide a very long detailed description of what they collect and what they do with it. This page repeatedly states that no personally identifiable information ever leaves the phone.

At the risk of incurring wrath from iFans...

[__aavqan3009]

Apple is in fact circling the drain now. They`re playing "follow-the-leader" with features on their phones. Now that Mr.Jobs is gone Apple will slowly go the way it went the last time Mr.Jobs left. Except this time, no amount of coaxing will get Mr.Jobs back. Save this post. Date it. Refer back to it. I`m not kidding. Just wait.You`ll see.

Re:At the risk of incurring wrath from iFans...

[cpuh0g]

Apple is in fact circling the drain now. They`re playing "follow-the-leader" with features on their phones.

Do you have anything other than your own personal opinion to back up your "fact"? AAPL corporate earnings continue to grow, their products continue to sell and expand their market share, they are the #1 or #2 company in the world in terms of market cap and they have a ginormous cash hoard to draw upon for further R&D and expansion.

If you want to see a perfect example of a company that actually IS circling the drain, take a look at RIM.

"follow-the-leader features"? Siri-ously (har har)? Oh look, Google has a Siri-like app now! Leading-the-followers is more accurate...

Re:At the risk of incurring wrath from iFans...

Are you insane or have you just drank the koolaid? Off of the top of my head Saudi Aramco has a market cap of around 7 billion and Pemex has a cap of 4.9 billion. That's way more than AAPL and thats without even looking. That makes them at least #3 and I'm betting if I looked I could easily find more. Also from what I've seen of Siri it looks like Apple just copied Google voice search(with worse voice recognition) and added a crappy AI that doesn't work to it.

Re:At the risk of incurring wrath from iFans...

Siri-ously? There's someone who still takes Siri for The New UI That Will Revolutionize The Phone?

Google doesn't have Siri-like app, it has its own voice recognition services without AI, and had it for a long time. There are Siri-like third-party apps (and Siri itself _was_ a third-party app until Apple bought it out and locked it to iOS5).

Re:At the risk of incurring wrath from iFans...

Siri-ously (har har)?

Har-har, indeed.

Re:At the risk of incurring wrath from iFans...

[cpuh0g]

You are off by a few hundred billion, do your research...

AAPL is #2 with a market cap of $360 BILLION. XOM (Exxon/Mobil) is #1 with $380 B.

Re:At the risk of incurring wrath from iFans...

[doccus]

This may not be a popular position to take, but I suspect you might just be right.. I have already seen the rot set in with their desktop OS.. which started just about the time that SJ's healt took a severe turn.. 10.6 was the first to 'upgrade' to be demonstrably worse than it's predecessor, and many feel that 'Lion' continues that trend.. I don't know about iOS but if it follows the same pattern, there could be problems. The situation with Snow leopard is serious enough to make a 15 year mac veteran dump OSX for Linux.. that shows it's not just a couple of 'quirks'..

Re:At the risk of incurring wrath from iFans...

[BasilBrush]

You're saying Snow Leopard was worse than Leopard? That's just nonsense. Snow Leopard was the best ever version of OS X. It was only for Intel Macs, so those still on PowerPCs might have been disappointed it wasn't for them. But it was certainly a great upgrade for those that upgraded.

The situation with Snow leopard is serious enough to make a 15 year mac veteran dump OSX for Linux.

PowerPC?

For sure, Lion has some problems. But Snow Leopard was excellent.

Communication content is still private

[DeadCatX2]

At least according to US laws, the content of your communications are still considered private. It's just the destination and time of communication (bookkeeping data) that has no expectation of privacy.

The fact that SMS keystrokes can be recorded is clearly a violation of privacy.

I'm also quite worried about the fact that I have to put the password for my work account into my phone in order to receive my work emails. I expect those to be private as well, especially since the password field is masked with *'s (which definitely implies that the password is private). The fact that some previously unknown company may know my work password is frightening to me.

Data Charges

Honest question: When this is turned on do we still get billed for it's usage? Could this be also called bandwidth stealing? If I'm on a 200mb/month plan and this is on how much data is it using of my data plan? I know it will depend upon my usage of texts and websites and so on but do you think it doubles my usage allowed?

Re:Bad news: you've picked up a hitch-hiking murde

Here's a thought... most people who run smart phones do not have the ability to replace portions of the system software that come with their phone. I can see that you look down on such people, but you're an elite technologist so you think that's OK.

Telling people that they can replace parts of the system software they don't approve of is like telling a car owner that he can simply replace the brakes if he feels the standard ones aren't powerful enough. Yes, he can - if he has the knowledge and the equipment. But only a tiny fraction of car owners will have the necessity prerequisites and will care enough to do that. Most will trust the manufacturer to have made the correct choice of brake components.

In the case of Android phones, it appears the right choice is to send user data to carriers without telling anyone or providing an option to turn it off - at least, I can't turn it off on my HTC phone. In the case of Apple phones, the default is not to send data and to make visible the option to send data and also show the user what data is being sent.

But some people still think the Apple methodology is more evil. Mind boggling really.

It seems like an event log...

[sohmc]

I'll echo many of the other comments here: It's not really the fact it logs everything. The question is what is it doing with that information.

While I'm not a full-fledged hacker, I know enough about logging and event triggering to know that the computer has to be able to keep track of events so that things that rely on events can be triggered. The best examine is browser events. If there's code to pop-up a window on a click, the browser has to register the click somewhere and the handler has to then pass the buck to function to open the window.

If Carrier IQ proper is collecting this data -- for any reason -- it should be disclosed and it should be able to be turned off. If Android, Apple, et al is using Carrier IQ has an event logger, it should be clear that the information is internal to the phone and is not available to other applications.

Overall, it seems like Android, Apple, et al got caught with their pants down. Assuming the best, they just forgot to mention that this software was a part of their OS.

Re:It seems like an event log...

[LDAPMAN]

Caught with their pant down? The first thing that pops up when you turn on the iPhone for the first time is a box explaining this and asking if you want to allow it. Thats not exactly hiding it. As someone posted above there is also a very lengthy explanation and the actual log files available on the control panel that allows you to turn it off. Some conspiracy.

So rooted devices with custom ROMs don't have this

[darkmeridian]

I am just going to guess that Android devices that were rooted and run custom ROMs don't have Carrier IQ installed. If that is the case, everyone should bitch and whine about the right to have root access on their devices, and the right to add whatever freaking ROM they want. If the carriers are keylogging their devices, we should be able to disable that feature. If they don't let us do that, we should be able to wipe off their spyware.

Can you prove that you're not a pedofile?

[Brannon]

What if you decided to become one later? We've got our eyes on you.

Denying it just makes you look more guilty.

Re:Can you prove that you're not a pedofile?

What if you decided to become one later? We've got our eyes on you.

Denying it just makes you look more guilty.

Buying a house across the road from a school and a bunch of cameras with telescopic lenses does look slightly suspicious, yes.

Re:Bad news: you've picked up a hitch-hiking murde

[clonehappy]

So, let me get this straight. Someone who can replace the brakes on their own car is an "elite mechanicist"? I know plenty of hillbillies who can upgrade their braking system. There's nothing elite about them, they just know how to work on cars. Just like there's nothing elite about those of us who can modify our system software on our handheld computers (telephones), we just know how to work on computers.

Anyone can learn to change brakes on a car, anyone can learn how to change (software) parts on a phone. Just for some reason, most people think that the "magic box" needs "magic people" to work on it. That's why people don't try to learn how to do these things, there's this perception that it's just *so* complicated that any mere mortal cannot possibly know how it works.

Example, I got my first car in 1996. It was a 1984 Buick POS. At this time, I had no idea how cars worked. It was constantly breaking down because I drove it like I stole it. A couple friends of mine were pretty competent at mechanical repairs, so we started diagnosing and repairing our cars (which were also early 80's POS's) together, and now, 15 years later, I feel pretty confident I can complete most basic/intermediate auto repairs myself, if I needed to. Granted, being around people who knew about them helped, but they themselves were self-taught for the most part.

At the same time as I became friends with some car guys, they also became friends with me and some tech guys. Now, those guys are pretty competent at (at least the basics) of technology and how it works. My friends and I were self taught at computers. So between the (say 6) of us, I don't think there isn't a mechanical or technological thing we couldn't do, if we needed to. Nothing elite, nothing special, just regular people who want to know how the things we use every day work.

I know what everyone will say next: people have busy lives and most could care less about how a cell phone, computer, car, electricity, or the like operates. I get that, but at the same time, if they *really* care about if their phone is spying them, or their brakes are substandard, or whatever, they can either buy a new device/car, pay someone to modify the system software/brakes, or learn how to modify the system software/brakes themselves. (With Apple, you have no such option, btw.)

What's so hard to understand about that?

More privacy issues

[wkk2]

There appears to be more privacy issues beyond monitoring in the phone. My Smartphone (GT-I9100 v.2.3.4) won't allow access to https://www.google.com./ It also doesn't allow the addition of private certificate authorities or the removal of bad ones. To make matters worse, it won't display the fingerprint of a certificate. So the only option is to accept, on faith, the issuer name displayed. It seems obvious that the handset makers don't care about privacy or potential harm to customers.

Re:Bad news: you've picked up a hitch-hiking murde

What's so hard to understand about that?

Well...

I know what everyone will say next: people have busy lives and most could care less about how a cell phone, computer, car, electricity, or the like operates. I get that, but at the same time, if they *really* care about if their phone is spying them, or their brakes are substandard, or whatever, they can either buy a new device/car, pay someone to modify the system software/brakes, or learn how to modify the system software/brakes themselves. (With Apple, you have no such option, btw.)

And learn how to take DNA samples and review everything they eat. And learn how to apply anesthetic as well as open themselves up again to check that their surgeon did what he was supposed to. And so on and so forth.

Just because a layman can gain enough knowledge to 'review' the work of experts, does not mean that anyone should have to do this . The very idea is completely fucking absurd.

HTC was pretty easy

Download unrevoked one click root.
Download Rommanager and tell it to do it's thing.

Yes that's more complicated than turning off menus within iPhone, but it's not so complicated that a non-technical person couldn't do it if they had the instructions in front of them.

Re: EU laws irrelevant

[jtara]

The U.S. laws on data collection provide protection. It's a federal offense, and has been for many years:

http://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act

That doesn't help if the carrier chooses to ignore the law.

Like a car payment for a car you own outright

[tepples]

Cell phone contracts are loans.

With the principal and interest payment bundled in the monthly bill. The trouble is that Verizon, Sprint, and AT&T don't give a discount on the monthly bill if I buy the phone up front at full price. So why do I still have to pay principal + interest to the carrier for a phone that I already own outright? It'd be like having to pay a car payment to the bank (and not just tags and liability insurance) for a car that I've already paid off.

Precisely!

[DeadCatX2]

I was just about to give such a reply, but you beat me to it, and yours is even better than mine would have been.

My mom doesn't have to know how to root her phone and load CyanogenMod. But it does create a market for a business which can do these things for people who lack the necessary expertise.

Re:Precisely!

I was just about to give such a reply, but you beat me to it, and yours is even better than mine would have been.

My mom doesn't have to know how to root her phone and load CyanogenMod. But it does create a market for a business which can do these things for people who lack the necessary expertise.

I'm all in favor of open systems but I'm not sure I buy this argument... at least, in this case. Can you point us to ANY business that provides an "install alternative ROMs" service for customers.

Re:Precisely!

[DeadCatX2]

Can I point you at one?

No.

Does this create a potential market for such a business?

Yes!

Re:Precisely!

There is a computer shop here in town that will load whatever you want on the android tablets you purchase.

Quicktec in Lincoln NE.

I don't even think they charge if you are buying the tablet from them.
Phones, IDK.

Re: EU laws irrelevant

[The+Moof]

Yes, this outdated and rarely enforced law will surely be used to protect us by the government, who completely respects citizen privacy and stand up against corporate abuse...

</sarcasm>

I have Diagnostics & Usage turned on

[Relayman]

I have D&U turned on on my iPhone 4S. Why? Because I'm a geek and if I can help out some other geeks at Verizon or Apple, so be it. But, guess what? I can see what's transmitted, no rooting required. Here's a typical entry:

deviceid: "xxx"
isAnonymous: true
deviceConfigid: 101
triggerTime: 1322150199352
triggerId: 655363
profileId: 10109
investigationId: 0
locationaUpdateSession {
timestamp: 1322150199351
timestampEnd: 1322150199351
desiredAccuracy: 1000
cellAvailable: true
wifiAvailable: true
passcodeLocked: false
airplaneMode: false
ttff: 0
ttffGps: -1
bundleid: "com.apple.weather"
achievedAccuracy: 99
}

Enjoy your paranoia! I refuse to participate.

Re: EU laws irrelevant

They'll respect it more if the voters appear to care about it.

They keep getting reelected despite doing all that crap. So it's not important enough.

Re:Handset Or Carrier Or FedGov?

[ThatsNotPudding]

...integrating CIQ became a mandatory requirement for products that were to be bought by AT&T...

Now better known by their working acronym of NSA.

Apple doesn't need Carrier IQ

iTunes and I guess other stuff does enough tracking for them.
http://www.telegraph.co.uk/technology/apple/8912714/Apple-iTunes-flaw-allowed-government-spying-for-3-years.html

Re:Bad news: you've picked up a hitch-hiking murde

[clonehappy]

I agree, it's completely fucking absurd. But, unfortunately, we can't rely on anyone but ourselves these days, let alone bought-and-paid for "experts" who work for the companies we are supposed to "trust". Heh.

Why are people still buying into pricey contracts

Thus the reason you should be buying unlocked phones. I have been saying this for years. They aren't loaded up with a bunch of crap that you don't need/want.

Re:Handset Or Carrier Or FedGov?

[thejynxed]

That's the point I have been mulling over as well ever since this mess came to light. There's only two reasons why this software would log the content of text message/email/search. Either a government agency of some sort requested this feature (or outright demanded it), or the folks behind CarrierIQ built in this ability so that carriers could use this info for their targeted advertising platforms.

If it's the former reason, this fits in line with PATRIOT-Act provisions, and if it's the latter, then quite simply, CarrierIQ broke the law, violating both the Electronic Communications Privacy Act, and the various laws based on wiretapping.

In this first case I mentioned, they still might get into trouble, if those parts of the software were enabled by default, as it was recently decided in some US Circuit Court case that the government is required to obtain a warrant before they may obtain access to such data as this CarrierIQ software provides.

I guess we'll find out once the inevitable lawsuits spring up.

Re:Bad news: you've picked up a hitch-hiking murde

[Bucky24]

Android? With a little looking and forethought, you can replace the "Angry Backstabbing Murderer" with a "cute blonde". You can even tweak the Blonde to have bigger boobs if you want.

I wish those were real settings you could tweak on an Android device.

CarrierIQ is not free or open source

[mjwx]

If anything, this demonstrates why Free Software alone is not the answer. In this case, the closed-source iOS is actually respecting your privacy more than the Open Source Android.

With Apple's history of tracking, that statement is laughable. Google sought user permissions before collecting data.

But CarrierIQ is not a part of Android, it's not a function installed by HTC, it's a function installed by US carriers (yet to find it on an Australian phone). But remember that if this had not had been discovered on Android, it would never have been discovered on IOS.

You still think that code is the answer, but it isn't. Dennis Richie demonstrated long ago how even access to the full source doesn't make you safe.

Here you're using a logical fallacy. You're treating "safe" as a binary concept, implying if you're not 100% safe, you are 100% unsafe. This is not the case.

Having access to the code does not guarantee security nor provide absolute security, but it does give you greater security by being able to interrogate the code and find out what it's doing. With Closed Soruce, you're taking the manufacturers word that they aren't doing anything untoward and this is it. You get the same gaurantee with Open Source, but with Open Source you also get to see the code for yourself.

This is a place where actually the legal solution is simpler, easier and more reliable than the technical one for carriers to circumvent and ignore.

Fixed that for you.

CarrierIQ has been around for years before Android or IOS (company started in 2005) and their software is borderline illegal already in the US, it's well and truly illegal in other jurisdictions. It's pretty obvious already that the carriers using CarrierIQ dont care about nor fear the law in this regard. If new laws were introduced, they would still be as infective and closed source would make it easier for them to hide what is actually being recorded. In addition to this, a court case will take years and in the end, they'll get a slap on the wrist and keep doing because it's more profitable and class actions aren't that costly.

Further more, US carriers are more effective at influencing lawmakers then US citizens. Any further laws would only serve to help the telco's collecting information.

Re:CarrierIQ is not free or open source

[Tom]

With Apple's history of tracking, that statement is laughable. Google sought user permissions before collecting data.

As does iOS. Your point?

Having access to the code does not guarantee security nor provide absolute security, but it does give you greater security by being able to interrogate the code and find out what it's doing.

Theoretically. You still don't know if that's the code that is actually running. You still don't know if there isn't other code embedded on the device. You still don't know if the CPU works the way you expect it to. If I control the hardware, you can have all the source code access you like, I can still do to you whatever I want.

Fixed that for you.

That's getting old. No, you didn't.

I've already pointed out that having good laws is the issue. You don't see companies going around shooting people, or taking their money on the street at gunpoint. I wonder if that is because there's no profit in it, or because it's illegal.

Yes, companies see if they can get away with borderline legal behaviour. There have been studies showing that companies satisfy the criteria for schizophrenia. If our politicians weren't incompetent, corrupt bastards, they'd long ago have realized that law enforcement needs to be stricter on corporations than on humans, because they lack morality.

I still think they ought to have to pay any and all fines in shares going into a "dissolve me" fond, and once that fond has enough votes, the corporation gets dissolved for having broken too many laws too often. Allow them to buy shares back after a time equivalent to the maximum jail sentence a human could have received for the same offense.

Further more, US carriers are more effective at influencing lawmakers then US citizens. Any further laws would only serve to help the telco's collecting information.

There's your problem. Yes, of course. I can't repeat it often enough: We are being sold out by the very people we elected to represent our interests. If you're sick and tired of that as I am, do your share in changing the system. The first thing you need to do is stop deluding yourself into thinking it's important you vote for the lesser of the two evils and don't vote for people you don't support, just because you think the others are worse. They aren't. You are being scammed.

Beginning of the storm..

[doccus]

It's kinda nice to be at the beginning of such a huge mess.. and know it while it plays out.. The carrier IQ storm is , i think gonna be just *huge*.. this is the lull before the proverbial s* hits the fans.. IMHO

My raging Apple hard-on is showing but...

[rubypossum]

Actually, I felt betrayed when I found out that Apple has this installed. But ummm, predominantly Android phones were being sold by asshole carriers with a rootkit installed and enabled - actively sending keystrokes and personal data. The same rootkit is on iOS but it's disabled by default. Why would Apple need to sell this as a feature? It IS a feature. At least it's not enabled by default.

I think you're just a little too emotionally invested in your hatred of Apple. Why waste your time? Besides being guaranteed to be modded up, I mean.

Re:My raging Apple hard-on is showing but...

[Reverand+Dave]

Seems to me that you're a little to invested in your love of Apple. Personally I don't think iDevices are bad things other than they are horribly overpriced, but the fanbois are annoying thing about them and you're kind of proving that with your above post. I'm just saying that you fanbois couldn't possibly believe that your Sacred Apple would dare do something that isn't in your best interest.

It's the government

[thisisauniqueid]

The only plausible explanation for Carrier IQ is a government mandate to the carriers to install wiretapping capabilities. Which makes it ironic that a class-action lawsuit is proceeding which will probably eventually bring in the FCC too, i.e. the very government that put Carrier IQ in place in the first place.

Carrier IQ's marketing claims undercut its defense

Can they Deny this too??

Carrier IQ's own marketing claims undercut its defense
http://www.pcadvisor.co.uk/news/mobile-phone/3322625/carrier-iqs-own-marketing-claims-undercut-its-defense/

Re: EU laws irrelevant

[sociocapitalist]

Agreed but it seems to me that the EU is more serious about consumer protection than the US, perhaps from being less controlled by corporations.

I'm American but living in the EU so I have a bit of both perspectives, if no hard data to hand to back up my feeling on this...