Slashdot Mirror
Carrier IQ Drama Continues
alphadogg writes "A Cornell University professor is calling the controversial Carrier IQ smartphone software revelations a privacy disaster. 'This is my worst nightmare,' says Stephen Wicker, a professor of electrical and computer engineering at Cornell. 'As a professor who studies electronic security, this is everything that I have been working against for the last 10 years. It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention.'" Read on for a grab-bag of other news about the ongoing story of Carrier IQ's spyware.
Federal intervention is already on the menu; new submitter mitcheli writes "Following the video from Trevor Eckhart on Youtube after the filing of the Cease and Desist letter and subsequent reply by the EFF and apology letter (as reported on Slashdot), Senator Franken of the Subcommittee on Privacy Technology and the Law asks some rather pointed questions."
Franken has more reason, apparently, to look into this than might legislators in other countries; an anonymous reader submits news that Cambridge researchers have found the software to be confined to (or at least only confirmed in) American customers' phones. From their report: "We performed an analysis on our dataset of 5572 Android smartphones that volunteers from all over the world helped us create. From those 5572 devices, only 21 were found to be running the software, all of them in the US and Puerto Rico. The affected carriers we observed were AT&T, Boost Mobile and Sprint.
We found no evidence of the Carrier IQ software running on Android devices in any other country."
Another anonymous reader suggests that "Apart from anything else, the fundamental mistake that Carrier IQ made was attempting to silence a developer using a heavy-handed legal threat. Certainly this was the tipping point in terms of bring the whole incident to the public's attention."
Like apparently begets like; reader adeelarshad82 writes "Not surprisingly, the Carrier IQ controversy has resulted in some legal action. Class-action lawsuits have been filed in California and Missouri that accuse Carrier IQ, as well as Samsung and HTC, of violating federal wiretap laws. The California case was filed on behalf of four smartphone users with HTC and Samsung devices and accuses the companies of violating the Federal Wiretap Act, which prohibits the unauthorized interception or illegal use of electronic communications, and California's Unfair Business Practice Act."
Finally, GMGruman writes with the cautionary note that Carrier IQ and Facebook pose "the least of your privacy threats": "[S]o far these forms of monitoring anonymize the data, so an individual's actual privacy is not invaded. And while people fret over these potential invasions, a more pernicious privacy invasion is under way, one that monitors actual individuals and then uses that information to try to direct their behavior. For example, car insurers give monitoring boxes to customers to track their driving behavior and offer a discount if it is 'good.' Of course, the flip side is higher rates or no coverage if the black box decides you are "bad." And, as this blog post points out, this is just one of many such 'Big Brother corporation' efforts out there that give significant power to insurers and others who have a history of abusing personal information, such as for redlining and coverage denial."
Franken has more reason, apparently, to look into this than might legislators in other countries; an anonymous reader submits news that Cambridge researchers have found the software to be confined to (or at least only confirmed in) American customers' phones. From their report: "We performed an analysis on our dataset of 5572 Android smartphones that volunteers from all over the world helped us create. From those 5572 devices, only 21 were found to be running the software, all of them in the US and Puerto Rico. The affected carriers we observed were AT&T, Boost Mobile and Sprint.
We found no evidence of the Carrier IQ software running on Android devices in any other country."
Another anonymous reader suggests that "Apart from anything else, the fundamental mistake that Carrier IQ made was attempting to silence a developer using a heavy-handed legal threat. Certainly this was the tipping point in terms of bring the whole incident to the public's attention."
Like apparently begets like; reader adeelarshad82 writes "Not surprisingly, the Carrier IQ controversy has resulted in some legal action. Class-action lawsuits have been filed in California and Missouri that accuse Carrier IQ, as well as Samsung and HTC, of violating federal wiretap laws. The California case was filed on behalf of four smartphone users with HTC and Samsung devices and accuses the companies of violating the Federal Wiretap Act, which prohibits the unauthorized interception or illegal use of electronic communications, and California's Unfair Business Practice Act."
Finally, GMGruman writes with the cautionary note that Carrier IQ and Facebook pose "the least of your privacy threats": "[S]o far these forms of monitoring anonymize the data, so an individual's actual privacy is not invaded. And while people fret over these potential invasions, a more pernicious privacy invasion is under way, one that monitors actual individuals and then uses that information to try to direct their behavior. For example, car insurers give monitoring boxes to customers to track their driving behavior and offer a discount if it is 'good.' Of course, the flip side is higher rates or no coverage if the black box decides you are "bad." And, as this blog post points out, this is just one of many such 'Big Brother corporation' efforts out there that give significant power to insurers and others who have a history of abusing personal information, such as for redlining and coverage denial."
Isn't it interesting that the only OS that sent the info out by default was Android? iPhone didn't. While they were there too, Carrier IQ was disabled by default.
And after all, Carrier IQ was just Google Analytics to mobiles. I can just hope that people start the same kind of uproar once they realize how much Google is spying them. If it's not allowed on mobiles, I don't see why it should be allowed on our computers and internet. Maybe there's still some hope in humankind.
Very good question from the senator:
Does Carrier IQ believe that its actions comply with the Computer Fraud and Abuse Act (18 U.S.C. Â 1030)? Why?
That's the kind of question you don't want to be asked. People don't ask that way if they don't already have an opinion. Basically, he wants to see them dig their own grave, and enjoy it.
That's good news. Let's see if they spring the lobby machine into overdrive and try to get the issue "lost" in sub-comittees and extended deadlines.
Assorted stuff I do sometimes: Lemuria.org
the problem is transparency.
If not Carrier IQ what next? What information are they gathering? What's the performance cost with this thing running in the background?
Somewhere in the back of my head Richard M. Stallman is laughing(and eating foot fungus).
Non impediti ratione cogitationus.
Wrong. Apple install it by default and even obfuscate the files.
Wrong yourself, or at least misleading - The carrier IQ that Apple ships with does not record anything at all by default, and even if you could figure out how to enable it records only a tiny bit of data, no keystrokes or SMS for example...
Nor do they obfuscate anything (unless you call shipping with it off a form of obfuscation).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
But why is are not the Telecoms on the noise???? they are the ones using the weapon, CIQ is only the manufacturer!!!!
Yes, because Blackberry has never handed over the keys to BBM when a nation-state has demanded them...
Skeptics find flaws in Carrier IQ application analysis
As I posted in another forum, the court of public opinion isn't in complete agreement.
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
" "RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution," the company said in a statement. "RIM also did not develop or commission the development of the CarrierIQ application, and has no involvement in the testing, promotion, or distribution of the app," the statement said"
I know that that statement makes me fully confident... "CIQ is not installed on Blackberry smartphones." is short, punchy, and sounds nice. Who wants to guess why their spokesweasel went with the above, instead?
True, but you can install any app you want on a BlackBerry, including ones that allow users to use their own keys. You can even get BES for free and run your own mailserver with your own keys. I realize RIM has fallen behind in many areas, but I have to say I am quite disappointed that practically none of the major tech blogs has discussed the fact that Carrier IQ is not only not installed on BlackBerry devices, but it is a violation of RIM agreements for a carrier to install this app on a phone. From RIM support forum:
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
They stated even more than what you stated: they stated that not only is it not installed on the phones, but it isn't authorized to be installed by carrier partners. How is that not a stronger statement? Then they continued on to state that they have never had anything to do with Carrier IQ. I don't understand how you infer otherwise.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
We do not need Opt-Out, we need Opt-In.
Such features, options, possibilities etc should be OPT-IN. If someone has problems with their carrier network. Then they can turn diagnostic tool ON and report it.
Why would the government purchase Carrier IQ's software or services? As it stands, there would appear to be absolutely no effective barriers to their just getting the data from the carrier who installed it...
After all, your carrier already knows what numbers you are communicating with, how often, for how long, and when. They know the text of the messages you send, as well. The only difference is now there is a company who you are not directly paying who is also watching what you're up to. I'm not saying I approve of it, but it really isn't that big of a change form my perspective. If your carrier just sold your calling records to someone, would it be this much of an issue?
Ultimately, any carrier that doesn't already have this kind of detailed information on every one of their customers is at the least irresponsible and more likely idiotic - and even more likely soon out of business. Even for the "unlimited" plans out there, it is still worthwhile for the companies to watch what is going on in order to properly position themselves for future changes in consumer and business phone use.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
As I'm sure you know: Without complete corresponding source code to all of the software running on a phone, you'll never know the answer to those questions.
RMS knew the solution to this problem before the problem became widespread (as he often does) and he got the solution right early on: this is a social problem, not a technological problem. The solution is software freedom for all computer users for all the software they run.
Sadly, the Carrier IQ debacle is unlikely to propel people to see this solution. The problem is too weak in its urgency because Carrier IQ's (or any other workalike) privacy violations are merely annoying or scary. Privacy violations usually don't kill or maim anyone. Also, the affected audience has low market value: the general public. When proprietary software used in internal medical devices fails and kills someone, there will be another opportunity to talk of software freedom as a social solution to be taken seriously. And, for a time, people will be more receptive to the idea that all computer users deserve software freedom. People seem to have no problem hiring professionals in other fields they don't understand (plumbers, doctors, lawyers, mechanics, builders) so it's not far-fetched to expect the public to hire computer programmers to inspect and modify programs on their behalf.
Digital Citizen
Nope! "T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers' experience. T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers' Internet activity, nor is the tool used for marketing purposes."
Verizon, C Spire, MetroPCS, and US Cellular are the only US carriers currently denying Carrier IQ is used on their systems.
The US government have made it clear that we have no inalienable rights; any we do not defend vigorously will be taken.
To test, I think you'd have to set up your own cell, as this doesn't use the wifi network. People with their own personal cell tower to test with probably work for or with the carriers, and so are under NDA WRT the whole thing. About the only thing that could be done is a custom android build with this installed that would spit out the data before it was handed over to the radio. As the carriers have already stated that they use it to monitor QoS, there are likely trigger conditions that will cause the data to be sent... kind of like sending MS or Apple your crash logs. The fact that the end user is NOT alerted that anything is being sent is the real issue. Likely the carriers figure that it's their network and their device data that's at issue here, and they don't really care about personal info for the task at hand, so they've never considered the gross privacy violations that the system potentially enables.
Or they've been mandated to install it.
we know that the EU is giving facebook flack for their privacy issues, so what do you think they are going to do to Carrier IQ?
i get the feeling that in a couple months we will see the a headline about Carrier IQ going under.
Anons need not reply. Questions end with a question mark.
To test, I think you'd have to set up your own cell, as this doesn't use the wifi network. People with their own personal cell tower to test with probably work for or with the carriers, and so are under NDA WRT the whole thing.
Such a thing is called a microcell and can be purchased by the public.
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
It's not just happening in the US. All the major carriers in Canada had initially denied having Carrier IQ on their phones (Rogers/Bell/Telus) but it has recently been found on the Rogers LG Phoenix.
http://mobilesyrup.com/2011/12/02/uh-oh-carrier-iq-found-on-the-rogers-lg-phoenix/
You can put anything on iPhone without a jailbreak
You just have to pay for a developer's license and enroll your phone.
What you don't get is the ability to to put any software you want on other people's phones by letting them download your application from your web site, you have to go through iTunes for that, and doing that requires Apple to approve your application. But when we get to that point, we've stopped talking about developer freedom and started talking about entrepreneurial freedom, which is something completely different.
PS: iPhones don't come with carrier crap installed; that's one of the reasons Apple didn't initially partner with Verizon; the other two reasons were the Qualcomm patent tax on CDMA hardware, and Verizon not wanting to set up a Visual Voice Mail service that met Apple's requirements.
PPS: All of the projects for running Linux on phones are only going to get somewhere if they break signature verification in the boot loaders, and the baseband software runs on a separate chip, rather than on the same chip as applications. That lets out a lot of smartphones (e.g. anything running a Qualcomm Snapdragon CPU). If they try to go ahead on those phones anyway, men in suits will show up citing the Code of Federal Regulations, 47, Section 2.944 covering Software Defined Radio.
-- Terry
A good chunk of developer freedom is tied up in distribution.
If you're allowed to develop, but not distribute, then your freedom as a developer has been compromised. Consider the various free applications available from the Cedega app installer - there's no entrepreneurial angle there.
Concerning the PS, yes, you're right. Apple is likely the one exception, since they're really the only ones who can get away with it.
Concerning the PPS, I'm honestly not expecting non-corporate Linux distros to "get anywhere" on phones anyway, due to a lot of other reasons, but there's plenty of phones out there without integrated radios. I imagine hobbyist distros will be developed for phones as long as there are phones for them to be developed on.
Those who can't do, teach. Those who can't teach either, do tech support.
The Windows experience has proven that no publicly networked device can be safe from threats.
Ah, Slashdot. You never fail to disappoint.
IMO people who demonize CIQ are missing the target. You should demonize the companies who employed CIQ technology to spy on their customers.
The only thing CIQ is guilty of is being a for-profit company in a capitalist society. Where there is demand (AT&T, HTC, Samsung, Motorola) there will be supply (CIQ). Just like the spam issue.
If you don't existinguish the demand by penalizing CIQ's customers, perhaps through legislature, CIQ 2.0 will be incorporated in no time and you better believe the next root kit will be a lot harder to detect.
AB
smattawichu
A good chunk of developer freedom is tied up in distribution.
If you're allowed to develop, but not distribute, then your freedom as a developer has been compromised. Consider the various free applications available from the Cedega app installer - there's no entrepreneurial angle there.
There would be nothing from stopping you distributing your code for an iOS app. In order for your "users" to install it though, they would need to pay the $99 fee for a developer license or be jailbroken. Your right as a developer to distribute software is still there, not very conveniently though but there none the less.
"To prevent this day from getting any worse, I'll just read ERROR as GOOD THING" 1GJU8xLuDKDxEs4KLf8fAGyptoDsqvEsBT
A good chunk of developer freedom is tied up in distribution.
If you're allowed to develop, but not distribute, then your freedom as a developer has been compromised. Consider the various free applications available from the Cedega app installer - there's no entrepreneurial angle there.
There would be nothing from stopping you distributing your code for an iOS app. In order for your "users" to install it though, they would need to pay the $99 fee for a developer license or be jailbroken. Your right as a developer to distribute software is still there, not very conveniently though but there none the less.
Not really, at least not in any meaningful sense. Just like how copyright law allows you to make duplicates of copyrighted material for personal use ... but denies you the right to acquire the tools needed to do that in most cases. A right that you have but do not have the power to exercise is not a right but is, in the end, a privilege. On that may be revoked at any time.
The higher the technology, the sharper that two-edged sword.