Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Android Dev Demonstrates CarrierIQ Phone Logging Software On Video

Soulskill posted more than 2 years ago | from the hand-in-cookie-jar dept.

Cellphones 322

Token_Internet_Girl writes with a followup to last week's news about Android developer Trevor Eckhart, who was researching software from CarrierIQ, installed on millions of cellphones, that secretly logged a variety of user information — from button presses to text message contents to browsing data. CarrierIQ tried to silence Eckhart, but later backtracked. Now, Eckhart has posted a video demonstration of CarrierIQ's logging software. From the article: "The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim. ... The video shows the software logging Eckhart's online search of 'hello world.' That's despite Eckhart using the HTTPS version of Google, which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google. ...the video shows the software logging each number as Eckhart fingers the dialer. 'Every button you press in the dialer before you call,' he says on the video, 'it already gets sent off to the IQ application.'"

cancel ×

322 comments

Sorry! There are no comments related to the filter you selected.

Can't someone sue the carriers? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38212228)

There is an asymmetry in the system as it works right now. Which private customers have the will, time, and money to sue companies that illegally wiretap their customers? Isn't there anything that can be done against this? (Of, I'm talking about action against CarrierIQ but about action against the carriers that use their software.)

Re:Can't someone sue the carriers? (5, Insightful)

fsckmnky (2505008) | more than 2 years ago | (#38212280)

companies that illegally wiretap their customers

Therein lies the rub. In order to use your cellphone/smartphone, you have to sign the carriers agreement, and in the carriers agreement, there is undoubtedly a clause where you give them permission to collect your data and use it as they see fit. This makes the data collection legal, not illegal, as you agreed to it.

Nothing short of privacy regulation specifically forbidding carriers to use this information, or at the very least, allowing you to specify that you would like your data to remain private, will prevent this practice from being standard, as the monetary incentive is to collect the data. Corporations have an obligation to protect and grow shareholder value, no matter how many advertisements they run claiming "We care about our customers."

Re:Can't someone sue the carriers? (5, Insightful)

Theophany (2519296) | more than 2 years ago | (#38212322)

A contractual agreement to something deemed illegal does not overrule the law.

If a judge found the activity to be unlawful, which I suspect is where the core of the issue rests, then whether or not there was a contractual agreement is irrelevant. I see no reason for a carrier's data collection policy to include keylogging everything a customer does outside of extenuating circumstance (suspected terrorist or something).

Re:Can't someone sue the carriers? (5, Informative)

Serpents (1831432) | more than 2 years ago | (#38212380)

The EU finally admitted that nobody reads ToS [smh.com.au] and it's going to curb such practices.

Re:Can't someone sue the carriers? (3, Insightful)

fsckmnky (2505008) | more than 2 years ago | (#38212396)

Kudos. Lets hope the rest of the world adopts a sane, fair approach.

Re:Can't someone sue the carriers? (5, Interesting)

fsckmnky (2505008) | more than 2 years ago | (#38212390)

A contractual agreement to something deemed illegal does not overrule the law.

It is not illegal, for you to agree, to the carriers collection of the data, which is why regulation specifically making it illegal, or spelling out your rights, is required to stop it.

I see no reason for a carrier's data collection policy to include keylogging everything a customer does outside of extenuating circumstance (suspected terrorist or something).

Yes, you, like myself, see no reason "to allow" carriers to collect this data. That said, a carrier has "every incentive to collect" this data. It has commercial value. They can sell it to the government / police for investigative purposes, they can data mine it in order to find hidden value, and every bit of data sent can be counted towards your monthly usage cap, thereby, increasing the odds that you will run over and incur additional charges.

Please understand I am not arguing on behalf of carriers, merely attempting to point out the reality of the current environment. I don't own a smart phone, as I am aware that the reality of it, is that, I am paying to be spied on.

Re:Can't someone sue the carriers? (3, Insightful)

fsckmnky (2505008) | more than 2 years ago | (#38212438)

I should add, that the moment I heard that Google was releasing a smartphone OS aka Android, my first thought was "Nice. Now google can spy on everyone when they are away from their computer and follow their movements in the physical world."

Beware of free ice cream from pimply faced CEOs of publicly traded corporations who claim to have your best interests in mind.

This situation is only going to get worse. The same data collection practices concerning smartphones are being adopted by car manufacturers, and Google wants to use event data that your spiffy new car collects, in order to "predict" and "suggest" a route for you to travel. Do you really think Google ( and other companies active in this area ) are doing all this work for free because they like you ?

http://media.ford.com/article_display.cfm?article_id=34591 [ford.com]

Re:Can't someone sue the carriers? (0, Flamebait)

CmdrPony (2505686) | more than 2 years ago | (#38212526)

Yep. This is why I will never get an Android device or use Google+. They want to spy, and they spy everything. On top of that, other companies will start to feel that it's ok to do. If the practice can continue without interruption, we will all lose privacy. It's funny how everyone always fights losing privacy to the government. Google, Carrier IQ and the companies are just middle hands for that!

Re:Can't someone sue the carriers? (5, Interesting)

fsckmnky (2505008) | more than 2 years ago | (#38212584)

Indeed. If the government began a program to spy on everyone domestically, it would undoubtedly cause a huge uproar, and likely be deemed unconstitutional ( at least I hope it would be deemed as such. )

But if companies collect the data, then the government can simply request the records, and pay the company a fee for retrieving them, as part of an "investigation."

Web search ... "what are you interested in ?"
Web analytics ... "what sites are you visiting ?"
Friends lists ... "who do you know / communicate with ?"
Mapping ... "where are you going ?"
GPS / wi-fi detection .... "where are you at right now ?"
SMS ... "what have you said to whom ?"

Welcome to the matrix. Good luck flushing yourself from it.

Re:Can't someone sue the carriers? (1)

sirdude (578412) | more than 2 years ago | (#38212768)

So, what device do you use?

I'm curious to know why Apple is never implicated in such privacy and tracking discussions considering how they lock you down to their own software and services. IIRC, they were involved in a GPS tracking furore a few months ago which came to naught. CarrierIQ doesn't develop for the iOS. But if carriers want all phones to return "diagnostic" information, presumably the iPhone is also doing so.

Re:Can't someone sue the carriers? (0)

CmdrPony (2505686) | more than 2 years ago | (#38212814)

Currently, I use my old HTC Touch HD, which comes with Windows Mobile 6.2. The OS that was made before Microsoft also went the Apple and Google route because it was more profitable way. Before that I used Symbian phones, which either didn't come with none of this bullshit. Frankly, Asia and Europe (made by Asians) still has many manufacturers who understand this thing and I can get phone that suits me. Americans, not so much. But they managed to ruin the phone industry for all of us. Did you know in Europe and Asia, you buy the phone you want and then get the contract from telephone company you want, who are only competing with service prices, not with devices they offer? (at least were, until all this iPhone and Android bullshit)

Re:Can't someone sue the carriers? (0)

Anonymous Coward | more than 2 years ago | (#38212992)

Yes that's the norm here, so far anyway. You mean it's not possible in the USA to get a mobile without a piggybacked connection sale as well?!? Oh well, we're getting there too... its just a matter of few more years.

Re:Can't someone sue the carriers? (5, Insightful)

Goaway (82658) | more than 2 years ago | (#38212782)

So, a third party had to make this spy app for the carriers because Google was not spying enough on users for their taste. And your conclusion is that Google is evil.

Re:Can't someone sue the carriers? (3, Insightful)

Ash Vince (602485) | more than 2 years ago | (#38212788)

Yep. This is why I will never get an Android device or use Google+. They want to spy, and they spy everything. On top of that, other companies will start to feel that it's ok to do. If the practice can continue without interruption, we will all lose privacy. It's funny how everyone always fights losing privacy to the government. Google, Carrier IQ and the companies are just middle hands for that!

But why single out Google? All smart phones are going to do crap like this so the only way to escape it is to only use products that are completely open and unlocked.

Bear in mind that this thread is not actually about anything Google can change, it is about some extra software that carriers (ie - AT&T, etc) are adding to android after google are done with it. There is very little you can do to avoid this as all the carriers are just as bad but you can at least not just blame google because they created an open phone platform that some other company wrote bad software for. Do you blame Apple for Mac IE5 being shit or Microsoft?

Re:Can't someone sue the carriers? (1, Troll)

CmdrPony (2505686) | more than 2 years ago | (#38212836)

Because it's a practice Google started, by offering services and software free of charge in return of spying and data collection.

Re:Can't someone sue the carriers? (3, Interesting)

andydread (758754) | more than 2 years ago | (#38212812)

Unfortunately for you it looks like you wont be owning Cell phone of any type. And I suppose you don't own one now. Almost every cellphone from certain carriers has CarrierIQ installed. THis has nothing to do with Google or the underlying operating system. Carrier IQ is crapware that is installed on phones by the CARRIER. And its on Nokia phones and blackberry's along with many many many feature phones. Apple has been tight lipped but don't be surprised if it is found on iphones either. They already have a client available for Iphones. So if the carrier choses to install it you are SOL.

Re:Can't someone sue the carriers? (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#38212870)

Apple has been tight lipped but don't be surprised if it is found on iphones either. They already have a client available for Iphones. So if the carrier choses to install it you are SOL.

The carrier would have to convince Apple to make a special version of iOS for them because carriers cannot by themselves install unremovable crapware on iPhones. I'd like to see the carriers try this, I could use a good laugh.

Re:Can't someone sue the carriers? (3, Informative)

fsckmnky (2505008) | more than 2 years ago | (#38212906)

There are a few methods, that I am aware of, that might, although the legality of such methods I am unsure of, still allow for cell phone use while preventing this sort of spying from occurring.

One method, is to get a GNU Radio ( http://gnuradio.org/redmine/projects/gnuradio/wiki [gnuradio.org] ) device and operate it as a cellphone carrier firewall. This would accept connections from your cell phone, log and allow you to filter what is being sent, and then communicate with your carrier.

The other method, would be to use a cellphone data device / mobile hotspot, and then operate your cell phone using encrypted VOIP to an Asterisk server in your home / office.

If there are other methods, by all means let everyone know about them.

Re:Can't someone sue the carriers? (2)

andydread (758754) | more than 2 years ago | (#38212848)

Oh how nice of you to lump Google into this. I wonder if you are just pro trolling, or some fanboy of some type. . THis event has nothing to do with Google. It is installed by the cell carrier and there are clients available to carries for ALL mobile operating systems and it has been found on other non Android phones. Nice attempt to smear Google with this one.

Re:Can't someone sue the carriers? (0)

Anonymous Coward | more than 2 years ago | (#38212954)

Here's my idea: File a complaint with your state's attorney general.

Re:Can't someone sue the carriers? (5, Interesting)

GPLHost-Thomas (1330431) | more than 2 years ago | (#38212330)

you have to sign the carriers agreement, and in the carriers agreement, there is undoubtedly a clause where you give them permission to collect your data and use it as they see fit

That would seem right, but only for the time of the contract. What if, as in the video, you have a phone which isn't bound to a contract anymore, and still spying on you?

Re:Can't someone sue the carriers? (1)

fsckmnky (2505008) | more than 2 years ago | (#38212406)

Certainly, the army of attorneys at the disposal of the carriers, has been careful to word the agreement such that your scenario also applies.

Re:Can't someone sue the carriers? (2)

demonlapin (527802) | more than 2 years ago | (#38212630)

Just because you no longer have an early termination fee doesn't mean that you're no longer under contract; you're still operating under the same terms as before except that you can cancel service at any time. Glance at click-through licenses some time; they say things like "use of this device constitutes..." rather than "use of this service constitutes..."

Re:Can't someone sue the carriers? (5, Informative)

Maow (620678) | more than 2 years ago | (#38212908)

doesn't mean that you're no longer under contract; you're still operating under the same terms as before except that you can cancel service at any time.

In the video, he explains he has a separate phone for development, without any mobile provider / SIM, which he also plays games on.

It was connected via Wifi. Every keystroke, HTTPS search, etc. was recorded and presumably uploaded to CarrierIQ or to ATT (or whomever).

His device is not of concern to any mobile operator.

That's a significant issue, and I doubt he'd be hard pressed to convince a lawyer to take it on.

(IANAL, etc.)

Re:Can't someone sue the carriers? (1)

InsaneMosquito (1067380) | more than 2 years ago | (#38212912)

What happens when you aren't under a service contract any more? I never turn my old phone over to the carrier when I upgrade. The previous one makes a good toy for the little kids in the family. It has no cell service. I do still connect it to the family wireless.

Re:Can't someone sue the carriers? (1)

Anonymous Coward | more than 2 years ago | (#38212338)

There is a difference between collecting behavioral data about someone using a cellphone and secretly installing spyware that records everything you do.
The first is something an informed customer can anticipate on when buying a phone and signing a contract. The second goes far beyond what is reasonable to expect when using a phone.

I am pretty sure that a carrier in the EU would open itself up for criminal charges if they tried to pull a stunt like this.

Re:Can't someone sue the carriers? (1)

Grave (8234) | more than 2 years ago | (#38212710)

I am pretty sure that a carrier in the EU would open itself up for criminal charges if they tried to pull a stunt like this.

Welcome to America, where corporations are protected like deities, and the average citizen is expected to forfeit any and all rights.

Re:Can't someone sue the carriers? (5, Interesting)

Anonymous Coward | more than 2 years ago | (#38212612)

Carrier IQ DENIES that they are recording keystrokes. They deny this right now, on their website in a PDF, that is linked to right at the top of their home page:
"While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools."

So even if our agreement with the carrier permits logging/capturing of this data, it doesn't allow you to LIE about doing it. Their software clearly logs data. We don't know if it keeps that data or transmits it back to anyone. But the data is clearly being captured in some fashion as demonstrated by the video.

Re:Can't someone sue the carriers? (4, Insightful)

fsckmnky (2505008) | more than 2 years ago | (#38212658)

Carrier IQ DENIES that they are recording keystrokes.

They aren't recording "keystrokes" .... they are recording "event data" of which, keystrokes are merely a sub-class of events. It's not a lie, just like when Bill Clinton told everyone "I did not have sexual relations with [Monica Lewinsky]." He didn't have sexual relations, as in, intercourse, he just played around with a cigar.

So even if our agreement with the carrier permits logging/capturing of this data, it doesn't allow you to LIE about doing it.

As argued above, they are not "lying." They are simply being extremely technically specific in their statements.

We, as private citizens, need to get better at reading between the lines, as that is where the truth is, in order to protect ourselves from the non-lying-liars.

Re:Can't someone sue the carriers? (1)

sociocapitalist (2471722) | more than 2 years ago | (#38212696)

IANAL but my understanding is that there can be clauses in contracts that are considered 'enforceable'. Perhaps someone who is a lawyer could opine on whether such a clause can protect a carrier or not?

Re:Can't someone sue the carriers? (1)

gl4ss (559668) | more than 2 years ago | (#38212700)

there's a LOT of things you can't just ask consumers for permission on the TOS and then go "nanananan it's legit you signed the contract!".
same thing applies to that you can't sign away your career through non-competes even if some employer wants you to believe so.
I wonder why so many people nowadays think that such clauses and shenigans are legit? is it because people read donald duck comics where they serve as plot devices? usury is illegal too - even if someone writes a contract for it(fyi uncle scrooge performs usury all the time on donald).

if it were legal to write any fucking kind of contract you want we would all be living in some crazy dystopia where everybodys life was determined by contracts written and signed before the person was even born(that would be pretty much what sucked about the middle ages).

furthermore, corporations don't have obligations to fuck up their value - corporations obligations to it's shareholders are defined by the corporation itself and legalities. starting a fucked up route like installing carrierIQ is actually something they should notify their shareholders of, because it's such a fucked up business decision in the first place and only serves to move money _away_ from the operator. I wouldn't be too surprised if cIQ had gone around offering coke'n'hoes equivalent to operator executives(in the mobile world because people are so lame the equivalent is just offering them a chance to booze off for the weekend).

but even then there's no mention of carrierIQ sw on their TOS and no mention on their data plans that portion of it will be used just for tracking what they do.

so do you really think it would be legal for at&t to start generating traffic using cIQ and place all their customers to 1 million dollar debt by leaving it to transfer data all night long? that's what you're implying the tos would allow them to do and what they _should_ do "to increase shareholder value" . it's just ridiculous. they should be busted for this. this if anything is a good example why the carriers shouldn't be the device providers! make a law against it. it's easy.

Re:Can't someone sue the carriers? (3, Insightful)

alostpacket (1972110) | more than 2 years ago | (#38212764)

While I agree with the spirit of your rant, AT&T did just show us this past spring that we might already be in such a dystopia. They challenged a customer's right to partake in a class-action lawsuit (when a customer had signed an binding arbitration contract. AT&T took it to the supreme court and won. [arstechnica.com]

Re:Can't someone sue the carriers? (4, Insightful)

fsckmnky (2505008) | more than 2 years ago | (#38212792)

there's a LOT of things you can't just ask consumers for permission on the TOS and then go "nanananan it's legit you signed the contract!". same thing applies to that you can't sign away your career through non-competes even if some employer wants you to believe so.

There is no law that I am aware of, that prevents private parties ( carrier and customer ) from agreeing to share information with each other. As for non-compete agreements, that is an entirely different issue ( legally ) than information sharing. It is voluntary for you to share, or not share, information with another party, while it is decidedly not voluntary for you to work and earn a living, unless someone else is working and earning a living to support you.

if it were legal to write any fucking kind of contract you want we would all be living in some crazy dystopia where everybodys life was determined by contracts written and signed before the person was even born(that would be pretty much what sucked about the middle ages).

I hate to break the news to you, but this is the world you live in now. Contracts are binding unless found all or in part ( under specific circumstances ) to be invalid by prior legislation or precedent.

because it's such a fucked up business decision in the first place and only serves to move money _away_ from the operator.

No. It increases shareholder value, up until the point where the public 1) becomes aware of it and 2) refuses to accept it and 3) finds the will to boycott the service. Unless all 3 of those things happen, the data collection is valuable, and enhances the bottom line.

so do you really think it would be legal for at&t to start generating traffic using cIQ and place all their customers to 1 million dollar debt by leaving it to transfer data all night long? that's what you're implying the tos would allow them to do and what they _should_ do "to increase shareholder value" . it's just ridiculous.

It is legal for AT&T to define "data usage" and "data caps" as "including data required to operate the service." As for whether they do this or not, cheCk your specific TOS. As an example of another industry that successfully did this, look at hard drive manufacturers. They have been claiming "300 Megabytes" when only "270 Megabytes" were in fact usable for over a decade now with much success.

As to your example of 1 million dollars in debt from carrier generated data streams, yes, that would cause the public to boycott the service and create lawsuits and bad debt. It is your extreme hypothetical abusive interpretation of the definitions that is ridiculous. In practice, this would optimally, from a revenue generation standpoint, be an amount that customers do not notice, whatever that amount may be.

I have not suggested carriers do anything, in any of my comments. I have merely attempted to explain the current ecosystem. No need to kill the messenger if you don't like the message.

Re:Can't someone sue the carriers? (1)

Gr8Apes (679165) | more than 2 years ago | (#38212988)

I believe that should there be confidential transactions of any sort, such as client attorney privs, done over the phone that CIQ would log would be illegal regardless of whatever "contractual" terms you sign. After all, the phone is presented as a communications device, not a device to eavesdrop on everything you do.

Caught in a lie then. (5, Insightful)

Nursie (632944) | more than 2 years ago | (#38212230)

That's just nasty. First try to silence the researcher, then try to deny what's going on when you've already been caught.

The question is, will this have any effect? Will carriers stop shipping this stuff ? Will consumers care?

My guess is no, they'll just try to hide it better in future.

highschooldirectory (-1)

Anonymous Coward | more than 2 years ago | (#38212302)

That's just nasty. First try to silence the researcher, then try to deny what's going on when you've already been caught.

The question is, will this have any effect? Will carriers stop shipping this stuff ? Will consumers care?

My guess is no, they'll just try to hide it better in future.

good one......................

www.highschooldirectory.com

I have (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38212234)

Always been suspicious of the countless android apps that REQUIRE device permissions such as "full internet access", "read phone state and identity" etc...

Re:I have (4, Informative)

Chrisq (894406) | more than 2 years ago | (#38212246)

Always been suspicious of the countless android apps that REQUIRE device permissions such as "full internet access", "read phone state and identity" etc...

As far as I can gather this is worse. It comes pre-installed by your carrier, you never grant it access to everything and there is no sign that it is installed.

Re:I have (1)

Anonymous Coward | more than 2 years ago | (#38212376)

Unfortunately the "read phone state and identity" permission is necessary if the application wants to check for a valid license.

Technically it is not absolutely necessary - but the generated key necessary to call the Google license API is crap if the phone ID is not hashed into it.

Re:I have (5, Informative)

Fri13 (963421) | more than 2 years ago | (#38212254)

Then install Permission Denied application (you need root) what gives you possibility to rip those permissions off from application https://market.android.com/details?id=com.stericson.permissions [android.com] .

After selecting what permissions the app can have, you need to reboot to take it affect.
And the other great application is Droidwall what is firewall (needs root as well) where you choose per application does it have access to WLAN or 3G internet connection. Great to limit some apps only to use WLAN instead 3G or vice versa.

Re:I have (1)

rhizome (115711) | more than 2 years ago | (#38212404)

What application's permissions would be modified to protect a persons phone from CarrierIQ with your app?

Re:I have (3, Informative)

Catnaps (2044938) | more than 2 years ago | (#38212472)

If you need root for these things, you may as well just grab a custom ROM to go along with it which has CIQ removed (well, most devs remove it anyway). I know my Sensation third-party ROM (ARHD 4.1.x) doesn't have CIQ anywhere in it, I've checked.
After all, flashing a ROM after rooting is a really small step in terms of difficulty and then you're totally free of CIQ.

Re:I have (0)

Anonymous Coward | more than 2 years ago | (#38212958)

Except for those with a locked bootloader

Re:I have (2)

Catnaps (2044938) | more than 2 years ago | (#38212990)

My Legend had a locked bootloader, so did my Sensation. Emphasis on past tense, because you can unlock them quite easily with some help from XDA Devs. My Sensation was literally; "run batch file, wait 3 minutes and watch it reboot a few times, check bootloader: S-OFF. Done."

Re:I have (5, Informative)

daid303 (843777) | more than 2 years ago | (#38212732)

One of the latest (7.2 or something) CyanogenMOD versions allows you to revoke permissions on installed apps. Which is the main reason why I installed Cyanogen.

Needs to be labeled as spyware (4, Insightful)

assemblerex (1275164) | more than 2 years ago | (#38212248)

Clearly that's what it is, it spies to enrich the company at your expense.

Re:Needs to be labeled as spyware (4, Insightful)

PolygamousRanchKid (1290638) | more than 2 years ago | (#38212364)

. . . at your expense.

So guess who pays for the transmission of all those logged clicks . . . ?

. . . and you thought some other app was draining you battery and carrier account limit . . . ?

Conspiracy theories aside... (4, Insightful)

ruemere (1148095) | more than 2 years ago | (#38212250)

What software is actually affected? What phone models? What platforms? What applications?
If it's just AT&T and its victims, well, it's their own private little hell. Otherwise, some facts would be nice.

For now, (quoting from the article), phrase of "millions of Android, BlackBerry and Nokia phones" smacks of cheap propaganda and scaremongering.

Regards,
Ruemere

What phones and providers to avoid? (2)

aliquis (678370) | more than 2 years ago | (#38212274)

So, will someone set up a list for which products not to buy?

If I get a phone here in Sweden which is just plain vanilla stock version will that contain the software or is it something the service providers install on "their own" phones?

Re:What phones and providers to avoid? (2)

xaxa (988988) | more than 2 years ago | (#38212414)

I don't see it on my UK stock (non-branded) Desire.

Look in "All Applications" as explained by the video. I haven't checked with the debugger.

Re:Conspiracy theories aside... (0)

Anonymous Coward | more than 2 years ago | (#38212286)

That's the point

Its hidden pre installed rootkit spyware

No one but carrieriq knows how many devices are infected

Re:Conspiracy theories aside... (5, Insightful)

Fri13 (963421) | more than 2 years ago | (#38212336)

Seems like none of phones sold in EU comes with this preinstalled.

Think about it. EU would rip every carrier, phone manufacturer and software company in pieces if such privacy abusing would rise.
Not even any end user license would protect those companies at all.

Re:Conspiracy theories aside... (1)

Anonymous Coward | more than 2 years ago | (#38212786)

Do you have a source for that statement? CarrierIQ does have office in Europe, so I guess they are not just targeting the US.

Re:Conspiracy theories aside... (0)

Anonymous Coward | more than 2 years ago | (#38212970)

See the following article:
http://www.carrieriq.com/company/news.htm

Are you saying that Portugal isn't a part of the EU? I think it shouldn't be but that's besides the point. Portugal networks have been pimping this as a feature since 2009.

Re:Conspiracy theories aside... (0)

Anonymous Coward | more than 2 years ago | (#38212962)

Prudence, indeed, will dictate that [Cellphone providers] long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security.--Such has been the patient sufferance of these [Customers]; and such is now the necessity which constrains them to alter their former Systems of [Cellphone coverage].

CyanogenMod (4, Insightful)

monkeyhybrid (1677192) | more than 2 years ago | (#38212312)

FTA: "it cannot be turned off without rooting the phone and replacing the operating system"

So even more reason to flash your droid with CyanogenMod or custom ROM of your choice.

Re:CyanogenMod (2)

Fri13 (963421) | more than 2 years ago | (#38212348)

By my opinion, every Android phone should be upgradable by the user in any country legally, when ever new ROM is released, from Google or from third party.
After all, phone manufacturers and carriers are just selling hardware and services, not the software.

Re:CyanogenMod (-1, Troll)

GPLHost-Thomas (1330431) | more than 2 years ago | (#38212350)

Well, it's even more a reason to help the guys working on having Debian and friends to replace the proprietary OSes that are shipped with Android. Please don't reply that Android is open source, unless you can show me the sources for CIQ!!! And just to advertize for the good: http://www.freesmartphone.org/ [freesmartphone.org]

Re:CyanogenMod (3, Interesting)

MimeticLie (1866406) | more than 2 years ago | (#38212462)

Please don't reply that Android is open source, unless you can show me the sources for CIQ!!!

Please don't reply that Linux is open source, unless you can show me the sources for Flash or Opera.

Wow, a dumb troll (0, Troll)

SmallFurryCreature (593017) | more than 2 years ago | (#38212550)

Linux is the kernel, neither Opera and Flash are required for the kernel or indeed many a distro ESPECIALLY Debian. There are many alternative browsers to Opera which has a tiny market share and not having Flash doesn't seem to have stopped iOS at all.

So, how does it feel to fail even at trolling?

Re:Wow, a dumb troll (1)

Catnaps (2044938) | more than 2 years ago | (#38212674)

He was being sarcastic, but do carry on.

Re:Wow, a dumb troll (5, Funny)

Anonymous Coward | more than 2 years ago | (#38212676)

GP's point was that CarrierIQ is as much part of Android as Flash or Opera is part of Linux. The fact that it runs on Android and that carriers install it on Android doesn't change that.

How does it feel to fail even at basic reading comprehension skills?

Re:Wow, a dumb troll (0)

Anonymous Coward | more than 2 years ago | (#38212686)

Carrier IQ is not required for the kernel either, and there are Android versions without it.

How does it feel to fail trolling the troll?

Re:Wow, a dumb troll (1)

Pi1grim (1956208) | more than 2 years ago | (#38212730)

Well, then nobody can use linux on computers with NVidia video card and call it linux? Or broadcomm wifi chips? That is the main problem with android — we don't have open source drivers for the phones. And that is the fault of mobile phone manufacturers. As well as locked bootloaders.

As for the CIQ — it is not a part of android. It is a third-party app, so comparison with flash is quite adequate. Heh, using your own argument — not having CIQ didn't stop CyanogenMod or other roms. Heck, I'm pretty sure there are some phones with stock android, that don't have CIQ preinstalled (mostly the ones, that carriers didn't get their dirty little hands on).

Re:CyanogenMod (1)

Catnaps (2044938) | more than 2 years ago | (#38212482)

Wow, you're a smart one.

Re:CyanogenMod (3, Insightful)

l3v1 (787564) | more than 2 years ago | (#38212532)

Please don't reply that Android is open source, unless you can show me the sources for CIQ!!!

Uhmm... how so? Android's openness has nothing to do with CIQ.

Re:CyanogenMod (1)

muffen (321442) | more than 2 years ago | (#38212352)

So even more reason to flash your droid with CyanogenMod or custom ROM of your choice.

There is still a level of trust required, you shift from trusting your tele-operator to trusting the Cyanogen-mod people.

To be honest, the best, relatively doable way, is to compile the ROM yourself. It's not that hard, XDA Developers has great information on how to do so. Sure, in this case you need to trust google but in the previous cases you need to trust google + teleoperator, or google + cyanogen mod devs.

Lets not forget that your operator can track your calls quite easily even without software.

I'd be interested in a list of operators that use this software, and an explanation as to what they are using it for, and how they verify that it isn't used for spying on people.

NSA (0)

Anonymous Coward | more than 2 years ago | (#38212448)

>[..] and an explanation as to what they are using it for, and how they verify that it isn't used for spying on people.

Ever heard of the NSA? This was designed to spy on people. Hmm... the only people interested in this sort of spyware are actual spies and criminals. So any carrier running this on their sets are either criminals or an NSA goal-keeper.

Re:CyanogenMod (0)

Anonymous Coward | more than 2 years ago | (#38212904)

Compiling yourself only helps if you read and understood the source code first. (And not just the Android sources, also those of your compiler, etc.)

Re:CyanogenMod (0)

Anonymous Coward | more than 2 years ago | (#38213020)

Lets not forget that your operator can track your calls quite easily even without software.

Indeed. I'm quite aware of it- which is why I question that they even NEED this software on the device in the first place. With the ability they actually currently have for call trace, etc. through most of the mobile networks, they don't need anything like this at all.

Re:CyanogenMod (2)

mea_culpa (145339) | more than 2 years ago | (#38212422)

It would be nice if smartphones were given the same level of respect that PCs get.
Unlocked boot loaders, choice of operating systems, and more protection from illegal search and seizure from law enforcement.

Any other tricks? (0)

Anonymous Coward | more than 2 years ago | (#38212342)

Did Eckhart specify if this CarrierIQ could also relay microphone data in any way?

Re:Any other tricks? (2)

shutdown -p now (807394) | more than 2 years ago | (#38212824)

He didn't demo it in the video, but there was one bit where he showed permission list for the app - and it basically owns the world. And yes, this includes recording audio. Whether it's actually using that permission for anything is an interesting question.

Worse than the papers (1)

dcarmi (940742) | more than 2 years ago | (#38212412)

News International shut down a paper because it was caught hacking voicemails. These guys are pretty much hacking everything.

How many people have access services via mobile with their work accounts? More than a few I would guess.

Three-letter agencies (1)

MimeticLie (1866406) | more than 2 years ago | (#38212434)

I saw a comment on another website speculating that the NSA might be involved with this. I'm not nearly enough of a tinfoil hat wearer to accept that without any evidence, but I think it says something that this looks big enough that people think it must be a government effort.

Just another example of how Big Brother has gone corporate.

Re:Three-letter agencies (1)

thsths (31372) | more than 2 years ago | (#38212726)

> I saw a comment on another website speculating that the NSA might be involved with this. I'm not nearly enough of a tinfoil hat wearer to accept that without any evidence

Haha, good luck finding the evidence. The NSA is trying really hard to avoid leaving any hard evidence behind.

Personally I think this has NSA written all over it. It is a software clearly designed to spy on customers, although I tend to believe that it is not usually report back the findings. Of course that is only a switch that you have to flip... and who would like to be able to do that? Bingo.

Credit card number exposure (5, Insightful)

SlashRAH (1236462) | more than 2 years ago | (#38212466)

When somebody installs a skimmer on an ATM or fuel pump, there are criminal penalties for (attempted) fraud. How is this software any different?

IF YOU AIN'T DOING NOTHING WRONG WHY BE AFRAID ?? (-1)

Anonymous Coward | more than 2 years ago | (#38212524)

Are you a criminal ?? Are you a terrorist ?? No ?? Then don't worry and be happy you are protected from those who would do you harm !!

Pizza (1)

JustOK (667959) | more than 2 years ago | (#38212530)

There's the story about how intelligence was gathered by watching the number of pizza deliveries to the White House.
Imagine how much better this would be. Not only spying for the govt, and by the govt, but for corp espionage.

Company A: Hey, out data shows a number of people at our competitor are gathering at an off-site location...hmmm

Re:Pizza (1)

LoRdTAW (99712) | more than 2 years ago | (#38212894)

Probably gathering for a pizza party!

Shhhh (0)

Anonymous Coward | more than 2 years ago | (#38212540)

They just need to find an internal cache that never leaves the owner's devices to really highlight this problem in the world's press

is this on iphone too? (2)

sunr2007 (2309530) | more than 2 years ago | (#38212560)

would like to know whether apple/AT & T or apple/any other carriers do this on iphone too?

That makes it clear. (1)

Stumbles (602007) | more than 2 years ago | (#38212564)

Their program is nothing more than a keylogger.

Re:That makes it clear. (1)

shutdown -p now (807394) | more than 2 years ago | (#38212832)

It's a bit more than that - e.g. it can log distinct events such as receiving an SMS (complete with text), or URLs you type in the browser (not as separate keystrokes, but a complete URL).

The pertinent question is, what exactly gets sent over the network?

Not PCI compliant (5, Insightful)

kooky45 (785515) | more than 2 years ago | (#38212594)

I believe this rules out all Android devices with CarrerIQ agents from being used to handle payment card numbers. There's no obvious mention on CarrerIQ's website of PCI compliance or how they protect the user's data. It probably also contravenes SOX, HIPAA and and host of other industry regulations. Bye bye lots of commercial use of Android handsets, especially Blackberry.

Re:Not PCI compliant (1)

Catnaps (2044938) | more than 2 years ago | (#38212680)

Haha oh wow, that's an excellent fucking point there my friend. Damn, I didn't even think of that.

May I suggest... (4, Interesting)

aug24 (38229) | more than 2 years ago | (#38212656)

...someone with skillz makes a freely installable CIQ clone that sends them back fake, randomly generated results.

Re:May I suggest... (1)

Catnaps (2044938) | more than 2 years ago | (#38212684)

Or Goatse. Lots and lots of Goatse. And Tubgirl. And Two Girls... well, you get the idea.

What are they thinking? (1)

joh (27088) | more than 2 years ago | (#38212670)

I mean, really. Android (and the Android market and Android apps) already has grown a reputation of being full of crap and scamware and spyware and Google is somehow very much "we spy on you but in turn everything we offer is free" anyway. With things like that Google and the carriers just nail down Android phones as something you have to sell your soul for getting some free candy. And yes, people love free candy and have not really a use for their souls, but then smartphones aren't free at all. Things like this are just poison for the smartphone business, believe me.

Re:What are they thinking? (1)

Maow (620678) | more than 2 years ago | (#38213000)

With things like that Google and the carriers just nail down Android phones as something you have to sell your soul for getting some free candy.

A couple things:

1) It's also on Blackberries, I think he said Nokia (Win phones? Symbian?), and who knows about Iphones - I suspect it is.

2) Google wasn't spying enough, so a 3rd party provided the software to the carriers, not through the app store to users.

It could be that Android's openness is what allowed this to be discovered.

How this will affect the smartphone market is hard to say, but I suspect people will want their "candy" and damn the consequences. So I kinda agree with you about peoples' candy desires, but disagree that this will significantly change the smartphone market (although I hope the carriers are sued silly over this).

What about doing Internet Banking on one of these? (1)

Anonymous Coward | more than 2 years ago | (#38212712)

Do they now have your details? What any other passwords you have entered on the device?

This explains... (1)

dohcvtec (461026) | more than 2 years ago | (#38212816)

why Android phones are so laggy/sluggish.

Re:This explains... (1)

wall0645 (1665631) | more than 2 years ago | (#38212936)

It's laggy/sluggish because the UI is written in Java.

Not found on stock Desire HD (1)

Catnaps (2044938) | more than 2 years ago | (#38212828)

I just checked a Desire HD we have here at work- bought in the UK a year ago, SIM-free, totally stock. No trace of CIQ in running applications. Maybe this is indeed US-only, or perhaps carrier-branded-only.

In Soviet Russia phone would spy on you... (1)

Moskit (32486) | more than 2 years ago | (#38212892)

...wait, it's true, only in Corporate USofA and today!

Read P.K.Dick on world taken over by corporations. He wa a visionary, like so many S-F writers. They have foreseen all things that happen, technically and morally.

But is the data actually transmitted anywhere? (5, Interesting)

Wyzard (110714) | more than 2 years ago | (#38212960)

In this video, the researcher is looking at debug logs from the phone itself, not network traffic logs showing remote communication. He clearly shows that keystrokes and URLs are being passed to the IQ software running on the phone, but presents no evidence that the data is actually sent to anything outside of the phone.

Has anyone determined what the IQ software does with all this information besides writing it to the debug logger? Is it actually sent somewhere, or saved to persistent storage on the phone? (I'm no Android expert, but I'm under the impression that debug messages are discarded when there's no debugger attached.)

Having this software running in the background is sneaky and certainly makes spying more possible than it would be otherwise, but it's not necessarily the huge immediate privacy violation that everyone seems to be assuming it is.

Re:But is the data actually transmitted anywhere? (2)

Catnaps (2044938) | more than 2 years ago | (#38213004)

Just because you don't have proof that the card skimmer on the local ATM isn't sending data back to its installers, doesn't mean it's not. It has the potential to, and it's designed to do exactly that- which should be enough for CIQ to be harpooned with all due haste.

So where does he show this data is sent anywhere? (0)

Anonymous Coward | more than 2 years ago | (#38212964)

I can see in the Video that the application gets notified about a lot of stuff, could someone show that the data actually leaves the phone?

iPhone (1)

koan (80826) | more than 2 years ago | (#38212982)

So is this a +1 for the iPhone and Apple's need to control their shiz or our they doing the same thing internally? Since CarrierIQ is effectively a key logger doesn't that make it illegal" Are we going to see some legal action here?

Web Directory (-1, Troll)

alex jhon (2512318) | more than 2 years ago | (#38213082)

There's no obvious mention on CarrerIQ's website of PCI compliance or how they protect the user's data. It probably also contravenes SOX, HIPAA and and host of other industry regulations. Bye bye lots of commercial use of Android handsets, especially Blackberry. Web Directory [worldsbestsites.biz]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>