Slashdot Mirror
Researchers Say Carrier IQ Isn't Logging Data, Texts
Trailrunner7 writes "Security researchers who have investigated the inner workings of the Carrier IQ software and its capabilities say the application has some powerful, and potentially worrisome capabilities, but as it's currently deployed by carriers it doesn't have the ability to record SMS messages, phone calls or keystrokes. However, the researchers note there is still potential for abuse of the information that's being gathered, whether by the carriers themselves or third parties who can access the data legitimately or through a compromise of a device. Jon Oberheide, a security researcher who has done a lot of work on Android devices, also analyzed several versions of the Carrier IQ software and found the software has the ability to record some information, but that doesn't mean it's actually doing so. That part is up to each individual carrier. However, he says the ability to collect such data is a dangerous thing. 'There is a lot of capability to collect sensitive data, which is dangerous in any scenario,' Oberheide said in an interview. 'It's up to the carriers to use the software as they choose, but you could sort of put some blame on Carrier IQ. But they put it on the carriers.'"
For those who don't want to trust in the good will of Carrier IQ or carriers themselves, here are a couple ways to get it off your phone.
If it isn't GPL-licensed and built by a collective herd of protesting armchair engineers, it must be a tool by corporate government cronies to invade our privacy and steal the vital details of how often we wash behind our ears.
That was sarcasm.
You do not have a moral or legal right to do absolutely anything you want.
Here are three random articles from the front page of Slashdot, Reuters, and TheStreet.com:
Once upon a time, the important part of the URL - the identifier of 2225202 at Slashdot, idUSTRE7B019B20111205 at Reuters, and 11332765 at TheStreet - was all that a potential URL-logger got to see. URLs were not only shorter, they had meaning relevant only to that one particular site's CMS, and it required Yahoo/Google/Bing/government-sized resources to follow every such link and map URLs to content on scales as big as "everyone who uses the WWW".
Except that nowadays, most URLs are rewritten with-redundant-text-for-SEO-purposes. Slashdot's URLs say researchers-say-carrier-iq-isnt-logging-data-texts Reuters' URLs say us-russia-election and TheStreet's URL says its-official-facebook-buys-gowalla-team.html.
All of a sudden, if I have access to the URL stream, I can now figure out that you're interested in Carrier IQ's spyware, the Russian elections, and whatever Facebook is up to this week -- with nothing more complicated than "grep".
I'm not advocating tinfoil haberdashery: there's no grand conspiracy of webmasters to make clickstreams greppable. It's merely a regrettable (for end user privacy) side effect of the relentless push towards SEO that organizations like Carrier IQ can get a lot more "interesting" information out of a user's clickstream than they would have been able to do as recently as two years ago.
If I use any modern mobile 'phone then I assume anything I put on it and where it is can be read by the OS vendor and the carrier. The environment is too tightly controlled and lacking in openness for me to be able to come close to verifying otherwise. We can assume that the facility is only used on rare occasions because one significant revelation of data transmission will put people off buying the product, IOW the only thing keeping anyone safe is the "you're not important enough to matter" card.
But if you're doing anything remotely interesting, whether that's in industry or activism, you'd be a fucking idiot to use the routine features of a smartphone.
Indeed, and carriers of course could already view and record text messages. They don't need an app for that.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
If CarrierIQ is making money from studying my behaviors, then I want a cut or I want to uninstall their craptastic software. I should not be forced to consume software I do not want. If Android wants analytics, then build it into Android OS. My relationship is with my phone manufacturer and the OS manufacturer. I should be able to decide what other relationships I want. CarrierIQ can contact me if they think their software somehow adds value to my experience. Otherwise, do more testing.
Why do people try and point a finger at CarrierIQ? Do you blame Smith & Western every time someone gets shot? Do you blame Volvo when someone steps in front of one of their busses? Do you blame Jack Daniels when someone drinks themself to death? If anyone wants to do any finger pointing it should be at the one responsible for installing and configuring the software - the carriers themselves.
This was known days ago. Of course that fucks up your nice little conspiracy theory, so it wasn't posted.
Carrier IQ has admitted that it records URLs of every web site you visit on your mobile device, and sends it to the carrier.
So there is another subpoena target for the authorities. Even your ISP doesn't necessarily get that information. Why should your carrier?
Sig Battery depleted. Reverting to safe mode.
According to this video Carrier IQ has the ability to capture URLs that are entered, including HTTPS URLs. When a browser makes a secure connection (HTTPS), the URL is encrypted before the browser transmits it to the target webserver to protect any sensitive information it may contain. So the carrier would not be able to log such URLs through their equipment -- Carrier IQ allows them to do it by intercepting before encryption is applied.
Fact is: They sold you a phone with a rootkit installed that could record and transmit anything without your notice or your consent. That's still fucking bad enough for me. Claiming that "it wasn't activated by default" doesn't change a bit of it.
Oh, the beautiful gloss of greality!
Actually, the trend of late is to use customers as additional products for sale often without the consent of the customers who are being [ab]used. It may take some doing to get law to reflect the moral problems of this sort of thing, but you can bet if the kind of data they are collecting on others was collected on the perpetrators and made public, it might make a few of them a bit upset to the point to taking legal action. No one want this done to them and especially not the ones doing it. So the morality of all this is certainly not in question. Now we just need some "do unto others" put into law.
Someone needs to go to jail to stop the avalanche of "me-too-ism" on this gold rush to exploit consumers.
As usual, the crux of the matter has to do with TRANSPARENCY and CONSUMER CONSENT. The question of whether or not CarrierIQ is actually capturing user behavior through the software is important, but actually secondary to the fact that the carriers themselves do not TELL the consumer that (1) we've installed this logging software on your device; (2) it is not possible through normal means to deactivate it; (3) this software runs without any disclosure or agreement in your contract; (4) this software runs on your device even if you are no longer under contract or even subscribed as our customer; and (5) this software is not an integrated component of the device's operating system.
And why don't they tell you these things? Because they can get away with it. The fact that this software is so hidden from the user, and is NEVER mentioned in any of the legal documentation you are asked to sign, is all the reason why the consumer cannot and should not be expected to simply take either the mobile network operator or CarrierIQ at their word when they say they're not tracking personally identifiable information. Yes, researchers have chimed in with their findings. But such broad, unregulated, and pervasive tools as CarrierIQ have enormous potential for abuse, and it is simply unacceptable to allow these companies to just chalk it up to "sorry we kept this a secret from you, but TRUST US, it's all perfectly innocent." Yeah, bullshit. If it were truly so innocuous, why did you go through such lengths to hide it and make it difficult to disable or remove?
Here's the thing. I think this whole CarrierIQ debacle is being played up in the media for exactly the reason stated in the title, because it ISN'T logging data, texts. It really isn't sending your data back to the carrier, government, or whomever. What it does, is far beyond the understanding of the average consumer of the nightly news. So the media will trot out the experts who say, "This software does not send your data back to the carrier, it just hooks the keyboard for diagnostic purposes at a level beneath the userland of the Android operating system."
And, whoosh.
In the minds of the masses, it was harmless.
But it isn't harmless. The software certainly has the capability of monitoring/logging/reporting every keypress on the phone and sending it to whomever it's configured to send it to. No one outside the "slashdot-esque" crowd knows much about rootkits, system hooks, etc. etc., however. But now, whenever someone mentions the fact that phones are spying on you, everyone can come out and say "No, they're not. Didn't you hear? CarrierIQ was harmless. You're a tinfoil-hat nutter!" Even though they still will be monitoring everyone, either through this method, ones hidden better, at the switching center, or voluntarily (Facebook, etc.) And it'll be business as usual.
Right now, you can be pretty certain your phone isn't doing any real, wholesale spying, since to transport that amount of voice/video, or whatever type of data will kill your connection and drain your battery faster than you can say "fourth amendment" (until you connect to wi-fi, of course). The real trojan horses are the 4G networks. Especially once LTE connections are the norm, it will be trivial to log a tremendous amount of real-time "intelligence" (because that's exactly what these phones are, intelligence gathering tools) and quickly whisk it up to whomever wants to see your data without you noticing. I'm sure it'll be as simple as someone in a spook hideout pressing a button and, voila, the 4G network is providing them a real-time peek and listen into your life.
They're not kidding: Intelligence Everywhere!
Here's a quick summary regarding keystroke logging made by the two recent articles:
Original video that demonstrated CarrierIQ logging keystrokes. I.e. not a theoretic capability, nor a risk, but actual entries into the system log. This was performed on an stock HTC Evo 3D.
This article is asserting that CarrierIQ does not contain the necessary hooks for keystroke logging on the Samsung Epic 4G Touch.
IOW, the two articles are not making the same claim. It is already known that different phones have different versions of CarrierIQ. This article isn't claiming that no phone has the capability to log keystrokes, merely that the Epic does not. The original article wasn't claiming that all phones are logging keystrokes, merely that the Evo is. Methinks someone is trying to manipulate public opinion, as the original video is surprisingly difficult to find, and this article's claims were immediately exaggerated and that version of the story was popularized.