Slashdot Mirror

← Back to Stories (view on slashdot.org)

Carrier IQ Responds To FBI Drama, EFF Wants More Information

Posted by Soulskill on from the it-was-the-one-armed-logging-software dept.

New submitter realized writes "Yesterday Carrier IQ released a report (PDF) which tries to answer some questions about how their system operates. Also, after reports of the FBI using Carrier IQ data, the company responded by saying, 'Carrier IQ has never provided any data to the FBI. If approached by a law enforcement agency, we would refer them to the network operators.' Additionally, the EFF just released a report which says they believe keystroke data 'is in fact being inadvertently transmitted to some third parties,' but they would like to study carrier profiles to verify information." Reader Trailrunner7 adds that Carrier IQ's report indicates "under some limited circumstances its software will log the contents of SMS messages sent to a user's phone, but that that the contents of those messages would not be human readable. Instead, they would be in an encoded form that could not be decoded without special software and the carriers don't have access to the contents of the messages either. The company said it has worked on a fix for the bug, which affected devices running the embedded version of the Carrier IQ agent."

29 of 140 comments (clear)

  1. "A fix for the bug"? by T5 · · Score: 4, Insightful

    The fix is to not install spyware on the phones in the first place. How hard is this to understand?

    1. Re:"A fix for the bug"? by Sponge+Bath · · Score: 4, Insightful

      It is well understood, but perceived to be less profitable so is dismissed as an option. Same as it ever was.

    2. Re:"A fix for the bug"? by MightyMartian · · Score: 4, Insightful

      Corporations are not humans. They are companies

      .. run by psychopaths.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    3. Re:"A fix for the bug"? by Rennt · · Score: 4, Insightful

      Legal, useful, and morally-sound? Yeah, that doesn't sound like a paid comment. It IS a rootkit, by definition (does it hide from your process list, can you remove it?). The EFF thinks it HAS been used as a keylogger, even if unintentionally. No matter what the customer agreed this functionality is morally reprehensible. If anything, the carriers deserve some credit for showing restraint in the use of this application, but CarrierIQ itself deserves all the criticism it is getting.

    4. Re:"A fix for the bug"? by Wolfier · · Score: 5, Insightful

      It's not spyware. Carriers want info on how people use their phones so that they can fix bugs and make better phones. It's no different from software that occasionally reports home with usage statistics. Everyone does it, and it's a good thing. The only problem is that a few OEMs and carriers disabled the user's ability to opt out.

      CarrierIQ makes a legal, useful, morally-sound product. Some companies go on to use that product in a legal, useful, but less moral manner. But some asshole of a security researcher figured out (correctly!) that he'd get way more hits on his webpage if he accused them of making a rootkit and keylogger. And now all the innocent, hardworking developers at this small business will be out on the streets, because the rage-a-holics want something to scream about, and the media is more than happy to manufacture controversy if it means good ratings.

      So congrats. You're going to destroy the lives of some innocent people over the tiniest of slights. I'm sure you're very proud.

      Not so fast. I suspect if CarrierIQ didn't attempt to SLAPP the researcher, none of its PR disaster would have happened.
      Don't act as if CarrierIQ is totally in the right, because it is not. The moment they decided to unleash a lawyer first, and then an honest disclosure when necessary, their fate was sealed.

    5. Re:"A fix for the bug"? by advocate_one · · Score: 4, Funny

      Corporations are not humans. They are companies.

      The supreme court (wrongly) disagrees with your statement.

      I'll believe in corporations having personhood when Texas executes one...

      --
      Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
    6. Re:"A fix for the bug"? by L4t3r4lu5 · · Score: 3, Insightful

      It's no different from software that occasionally reports home with usage statistics.

      The difference here is that I wasn't asked if I wanted to provide usage statistics, didn't even know that such statistics were being created, and the data being collected goes way beyond that which would be useful to any developer. Why would they need to know the content of my SMS messages to make a better app? Why do they need to know who I called and when, not just that a call was made?

      This is just too invasive. If they made it so it reported the most basic, anonymised stats there wouldn't be a problem. What they have done, however, is load devices which potentially contain sensitive personal data with remote monitoring software, with access to communications made on that device. It's too much, and they need to be called out on it.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
  2. No secret decoder ring here! by undeadbill · · Score: 5, Interesting

    Instead, they would be in an encoded form that could not be decoded without special software and the carriers don't have access to the contents of the messages either.

    Yeah, first they say they don't sniff your traffic, then they say this, then that, then they pull the "not without our secret magic decoder ring" argument. If they are working with government agencies to use this software (and it may not be the FBI), they wouldn't even have the ability to admit to it- those kinds of agreements require the company to deny everything in perpetuity.

    First thing this new year, I'm migrating my phone over to cyanogenmod. I'd do it now, but I just don't have the time.

    1. Re:No secret decoder ring here! by betterunixthanunix · · Score: 3, Insightful

      First thing this new year, I'm migrating my phone over to cyanogenmod

      Or, you could use your phone less, and use other devices more. The more dependent we become on our cell phones, the more power the cell phone companies will have over us.

      --
      Palm trees and 8
    2. Re:No secret decoder ring here! by VortexCortex · · Score: 3, Funny

      Actually, you're almost there. The most secure encryption is to simply XOR each byte with itself.

  3. Re:A Little Help Please? by VortexCortex · · Score: 3, Funny

    Install gentoo.

  4. Re:The more you know... by cosm · · Score: 5, Insightful

    And we give you more shiny toys...
    All the better to track you my dearie!

    And we give you better airport security...
    All the better to control you my dearie!

    And we give you more in store free membership cards...
    All the better to know your every purchasing move my dearie!

    And we give you more places to report SSNs...
    All for the illusion of importance and identification my dearie

    And we give you traffic and overhead cameras...
    All the better to make sure your driving safe dearie!

    And we give you more more social networks...
    All the better to keep you and our friends close, so we can keep you our enemy closer!

    And we give you internet shaping and monitoring...
    All the better to provide better content delivery my dearie!

    And we give you more child porn laws and content ratings...
    All the better to protect your eyes my dearie!

    And we give you more drug laws and consensual restrictions...
    All the better to keep you safe my dearie!

    And we invade other countries and install governments...
    All the better to ensure your security my dearie!

    And I give you the slow erosion of all that is personal responsibility, hard work, civil liberties, freedoms, independence, free speech, and everything America ever once strived at standing for...
    All the better to own you my dearie!

    --
    'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
  5. Re:A Little Help Please? by PNutts · · Score: 3, Informative

    Step 1: Buy an Android phone
    Step 2: Run one of the numerous CIQ detection apps
    Step 3: If found, install an AOSP ROM like CM7

    Yes, much simpler than turning off a single option in the iPhone's preferences (after you've turned it on because it's off by default). Or don't turn it off because you can see what it sends in clear text and it doesn't log anything except diagnostic information.

  6. Re:A Little Help Please? by andydread · · Score: 3, Informative

    Install Cyanogen Mod.

  7. Re:A Little Help Please? by Anonymous Coward · · Score: 4, Informative

    Apple has said that they are almost done using Carrier IQ for other methods of data collection.
    http://allthingsd.com/20111201/apple-we-stopped-supporting-carrieriq-with-ios-5/

    The quote is:
    “We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.”

    And for the Fanboys out there I say Other methods since they will still get "diagnostic data sent to them".

  8. Talking through hat/lying through teeth. by bmo · · Score: 3, Funny

    but that that the contents of those messages would not be human readable. Instead, they would be in an encoded form that could not be decoded without special software

    "We encoded it as ROT13, twice."

    --
    BMO

  9. Re:A Little Help Please? by jesseck · · Score: 3, Insightful

    That just means they have a replacement that will do the same.

  10. Re:A Little Help Please? by Anonymous Coward · · Score: 3, Informative

    True. Here's the strange thing, though. Apple's statement was: "We stopped supporting Carrier IQ with iOS 5 in most of our products, and we're going to remove it completely in a future software update." Not particularly clear. On followup, that was narrowed down to the iPhone 4 with iOS 5 still has carrier IQ (and Verizon doesn't use carrier IQ, so it might be ATT iPhones only). Either way, carrier IQ wasn't doing keystroke logging or any of the other strange shit.

  11. Carriers should make the service heat maps avail by klubar · · Score: 5, Interesting

    I read the CIQ pdf, and the part I was most impressed with was the service quality heatmaps. It would be great if the carriers made (or were required to make) this data available. This would make it much easier to evaluate a carrier in your actual area. Instead the carriers just release vague maps that show that nearly the entire US is green. Clearly they have the data.

  12. Google got slammed, but not CarrierIQ? by Okian+Warrior · · Score: 5, Interesting

    One thing that's bothered me about all this:

    Google's street-view car inadvertently logs SSID broadcasts, which are transmitted in the clear. They 'fess up and get washed and hung out to dry. Threats from governments, demands that they turn over the data, investigations galore.

    CarrierIQ sends your text messages and keypresses and location information (including your typed passwords) to various third parties including the FBI and carriers... and nothing. A handful of small entities are "seeking suit" against the company.

    Where's the outrage? You'd think that CarrierIQ only affects geeks.

    1. Re:Google got slammed, but not CarrierIQ? by Wolfier · · Score: 3, Interesting

      Only in the form of OS logs for crash reports

      Neither CarrierIQ or the Carriers have business in knowing what apps I'm using, whether they crash or not (the PDF says it reports context switches between apps, this is an INSANE invasion of my privacy) - except the crapware written by the Carriers themselves, which I need or want none of.

      The whole "case" against CIQ is hugely overblown by media sources looking for ratings and people who desperately want something to be outraged over.

      They were largely responsible for the "case" against themselves - if they worked with the researcher instead of using lawyers to threaten him, there would be no case. They should have been sensitive enough to know that there's a very fine line between what they make and a real spyware - and be aware of the possibility that EFF might join the fray before their lawyer sent that threaten letter.

  13. The intention doesn't matter by markjhood2003 · · Score: 3, Insightful

    Defenders of Carrier IQ insist that they're not collecting keystrokes, capturing SMS messages, or relaying personal information to the FBI, and that they're just collecting information to improve the quality of the network. The argument is irrelevant. Clearly the software has the capability of performing all these functions even if it isn't currently being used that way, and if the capability is there, it can be abused by third parties. Its existence on a personal device on anything other than an opt-in basis is unacceptable.

    1. Re:The intention doesn't matter by sjames · · Score: 3, Insightful

      If CIQ is so honorable, why have they made such an effort to embed it so deeply it cannot be turned off or removed from the phone by it's rightful owner short of extreme measures? Why isn't it's presence and operation more obvious? The deep embedding and stealth nature of the app are strong evidence that they know very well that phone owners will object to it. Those are not the actions of the innocent.

      If their intentions were honorable, they would apologize for getting it so very wrong and would have offered up a free detect and disable app for people who do not want CIQ on their phone. They have done no such thing. Instead they have been backing up slowly denying and backtracking all the way.

      You're right that we shouldn't ban knives, but you bet there will be hell to pay if someone is caught sneaking onto a plane with a knife concealed in his rectum. Claims that it was just in case he needed to peel an apple during the flight will not be accepted.

  14. Re:A Little Help Please? by Black+Parrot · · Score: 5, Insightful

    I've got the iPhone, how do I crib smother this Carrier IQ parasite?

    Next time you drive across a bridge, toss it out the window.

    --
    Sheesh, evil *and* a jerk. -- Jade
  15. Carriers don't have access? by ChipMonk · · Score: 5, Funny

    "Carriers don't have access to the contents of the [SMS] messages." Then how the hell do they get them to my phone in a human-readable format?

  16. Re:A Little Help Please? by KahabutDieDrake · · Score: 4, Insightful

    This seems to be the point everyone is missing in all this. The carrier doesn't need spyware to spy on you, THEY ALREADY SEE ALL YOUR STUFF IN PLAIN TEXT. It's not like ATT needs a warrant to open up their own network and take a look around. Nor does verizon need federal permission to log, through their data proxy, every address you ever visit, for how long and using what protocols. In point of fact, current federal law requires these companies to store this information, for a very long time.

    What exactly do people think CIQ can tell the carrier that they don't already know? The pathetic answer is, real world network performance diagnostic data. Which is just about the ONLY thing the carrier doesn't already know about your handset.

  17. Re:A Little Help Please? by shutdown+-p+now · · Score: 4, Insightful

    Step 1: Buy a Nexus phone.
    There is no step two.

    FTFY.

  18. Re:A Little Help Please? by RubberMallet · · Score: 4, Insightful

    There's nothing to turn off on my Android... CarrierIQ isn't even installed... wasn't installed from the beginning. So.. who has the spyware riddle device now? The iPhone which actually has the software installed, or the Android where it isn't? Hmmmmm

  19. The if, the why, and the who, are moot by sgt+scrub · · Score: 3, Insightful

    Our client Trevor Eckhart (whose research set off the present firestorm) and his subsequent collaborator Ashkan Soltani have shown that on some phones, dialer keypresses and SMS text are being written to system logs by layer 4 code.

    It doesn't matter the intent of the developers of the software. If it exposes private information by logging plain text information to a place where an application can access it, it is bad. Trevor Eckhart exposed a VERY dangerous effect of a software exposing private information. The developers should fix their shit and shut the fuck up.

    Finally, there is an additional configuration file (called a "Profile") that controls the behavior of layer 2 and determines what information is actually sent from the phone to a carrier or other Carrier IQ client.

    If the user does not have access, or even know there is access, to controlling the "Profile" it is spyware. If it can not be disabled or removed without rooting the phone it is a rootkit.

    --
    Having to work for a living is the root of all evil.