Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Say Carrier IQ Isn't Logging Data, Texts

Soulskill posted more than 2 years ago | from the but-our-pitchforks-are-all-polished-and-sharpened dept.

Android 130

Trailrunner7 writes "Security researchers who have investigated the inner workings of the Carrier IQ software and its capabilities say the application has some powerful, and potentially worrisome capabilities, but as it's currently deployed by carriers it doesn't have the ability to record SMS messages, phone calls or keystrokes. However, the researchers note there is still potential for abuse of the information that's being gathered, whether by the carriers themselves or third parties who can access the data legitimately or through a compromise of a device. Jon Oberheide, a security researcher who has done a lot of work on Android devices, also analyzed several versions of the Carrier IQ software and found the software has the ability to record some information, but that doesn't mean it's actually doing so. That part is up to each individual carrier. However, he says the ability to collect such data is a dangerous thing. 'There is a lot of capability to collect sensitive data, which is dangerous in any scenario,' Oberheide said in an interview. 'It's up to the carriers to use the software as they choose, but you could sort of put some blame on Carrier IQ. But they put it on the carriers.'" For those who don't want to trust in the good will of Carrier IQ or carriers themselves, here are a couple ways to get it off your phone.

cancel ×

130 comments

Sorry! There are no comments related to the filter you selected.

Old news (-1, Troll)

pclminion (145572) | more than 2 years ago | (#38274000)

This was known days ago. Of course that fucks up your nice little conspiracy theory, so it wasn't posted.

Re:Old news (0)

Anonymous Coward | more than 2 years ago | (#38274104)

Another comment to this news would, perhaps be:
"Yeah, right."

I mean, is this an attempt at spin? (I'm genuinely asking. I didn't read the summary.)

Re:Old news (1)

TimeOut42 (314783) | more than 2 years ago | (#38274454)

Haha, this post reminds me of the commercial where the girl is talking about her parents and the internet; where she read an article, well part of an article......

Re:Old news (5, Funny)

Sarten-X (1102295) | more than 2 years ago | (#38274132)

If it isn't GPL-licensed and built by a collective herd of protesting armchair engineers, it must be a tool by corporate government cronies to invade our privacy and steal the vital details of how often we wash behind our ears.

That was sarcasm.

Re:Old news (1)

cultiv8 (1660093) | more than 2 years ago | (#38274410)

Dammit, there goes my who-i-detest-most-internet-meme of the week...

Re:Old news (2)

migla (1099771) | more than 2 years ago | (#38274652)

Yeah! Stupid freedom mongers! Corporations would never lie to us! It's so stupid being a little person interested in sharing. Being a corporate lackey is where it's at. Kiss up - kick down! :)

Re:Old news (0)

Anonymous Coward | more than 2 years ago | (#38274746)

The sarcasm notation would have better served the public had it been opt-in (i.e. prefacing your comment).

[captcha=hammered; hammer is host of the SNL rerun currently running on netflix.]

Re:Old news (1)

LifesABeach (234436) | more than 2 years ago | (#38274986)

What could possibly go wrong? Maybe everything, if you're Newet Gringrich, or Herman Cain.

Re:Old news (1)

mrmeval (662166) | more than 2 years ago | (#38276076)

That's actually collectivist armchair douche canoes who know what's best for you.

Re:Old news (2)

SpaghettiPattern (609814) | more than 2 years ago | (#38276732)

If it isn't GPL-licensed and built by a collective herd of protesting armchair engineers, it must be a tool by corporate government cronies to invade our privacy and steal the vital details of how often we wash behind our ears.

That was sarcasm.

No, that was below the belt! We were on a rant high and there you come and spoil the party.

Seriously though, logging stuff you would send over SSL is pretty scary. It circumvents the whole concept of being able to communicate securely over an insecure medium. Then CIQ isn't killable or removable by mortals. Still CIQ cs. claim they only press petals.

Re:Old news (1)

supermariosd (1854156) | more than 2 years ago | (#38276752)

Don't you mean a GNU HURD of protesting armchair engineers? ;)

Re:Old news (0)

Anonymous Coward | more than 2 years ago | (#38277686)

Actually, you may be joking, but the market demands it. By its very definition.

You can either be a company who doesn't do it, hence make less money, and die out.
Or you can be a company who does it.

The only thing stopping companies from raping and killing everyone and everything for money, is those pesky laws.
(Because somebody would start it, would become big, and either you'd start doing it too, or get stomped out. [Quite literally])
But they fight hard to remove them, so they can have. what they call "the free market".

It's that simple.

Re:Old news (5, Insightful)

StripedCow (776465) | more than 2 years ago | (#38274240)

Indeed, and carriers of course could already view and record text messages. They don't need an app for that.

Re:Old news (2)

alienzed (732782) | more than 2 years ago | (#38275444)

In fact, by definition they do do this as they act as the intermediary between any two devices.

Re:Old news (1)

LesFerg (452838) | more than 2 years ago | (#38274346)

Who exactly were you referring to there? Slashdotters like to take to piss out of conspiracy theorists as much as they like to report on them. If it was a worthy conspiracy theory to start with in the first place; sounded more like a market analysis tool to most of us, I expect.

Re:Old news - maybe not (4, Insightful)

icebike (68054) | more than 2 years ago | (#38274540)

This was known days ago. Of course that fucks up your nice little conspiracy theory, so it wasn't posted.

Carrier IQ has admitted that it records URLs of every web site you visit on your mobile device, and sends it to the carrier.
So there is another subpoena target for the authorities. Even your ISP doesn't necessarily get that information. Why should your carrier?

Re:Old news - maybe not (2)

TimeOut42 (314783) | more than 2 years ago | (#38274586)

Do you really think that the carrier doesn't already know that information? Your ISP does get that information; it has to route your packets using something other than magic fairy dust. They even use that information to shape their traffic and optimize their proxy servers.

Re:Old news - maybe not (2)

trikes57 (2442722) | more than 2 years ago | (#38274730)

Your ISP does get that information; it has to route your packets using something other than magic fairy dust.

Wait,,,,
Doesn't ones browser resolve the IP address using DNS, and then send the request directly?
Do ISP DNS servers log such look-ups?

I can't imagine an ISP, unless they are running a caching proxy, having the ability to log every single URL from every browser on their network. Even when they do run a caching proxy its a LRU+Currant content computation, not a logging operation. High volume pages stay current because they are hit frequently.

I think the GP meant that your ISP does not log URLs other than those on their own web servers. The rest pass thru as data.

Re:Old news - maybe not (1)

Anonymous Coward | more than 2 years ago | (#38274952)

ISPs can log every request. There is no pass through. a DPI system can log every packet and get page and url data for every site you visit. you can also do this at home without fancy isp hardware. just install tomatousb on your router and set it to log every url.

Re:Old news - maybe not (2)

pclminion (145572) | more than 2 years ago | (#38274604)

Carrier IQ has admitted that it records URLs of every web site you visit on your mobile device, and sends it to the carrier.

In other news, Netgear admits that sometimes malicious packets travel through routers made by Netgear, and Intel concedes that it enables x86-based malware by continuing to produce microprocessors. The software was paid for and installed by the carriers. Carrier IQ is a solution provider.

Re:Old news - maybe not (0)

Anonymous Coward | more than 2 years ago | (#38275920)

It CAN record. However, carriers have to pay for it and NO carrier would actually do that simply because it's worthless data + crosses too many lines ethically speaking that not even a big company would think they could get away with.

People like you and your train of mis-information is what gives sites like Slashdot such a horrible reputation and you should be ignored.

Re:Old news (0)

Anonymous Coward | more than 2 years ago | (#38274632)

This was basically a FUD campaign and I won't be surprised if it was funded mostly by Microsoft.

It's pretty obvious they pay marketing shills like InsightIn140Bytes to bash competitors and praise Microsoft on forums like Slashdot and Reddit. He's just the last in line so far of a long line of slashdot users (ge7, tech4, techLA, sharklaser).

Re:Old news (5, Insightful)

Pf0tzenpfritz (1402005) | more than 2 years ago | (#38274664)

Fact is: They sold you a phone with a rootkit installed that could record and transmit anything without your notice or your consent. That's still fucking bad enough for me. Claiming that "it wasn't activated by default" doesn't change a bit of it.

Re:Old news (1)

pclminion (145572) | more than 2 years ago | (#38276034)

Fact is: They sold you a phone with a rootkit installed that could record and transmit anything without your notice or your consent.

My phone was not purchased from Carrier IQ.

Re:Old news (1)

adolf (21054) | more than 2 years ago | (#38277068)

Fact is: They sold you a phone with a rootkit installed that could record and transmit anything without your notice or your consent.

My phone was not purchased from Carrier IQ.

I think he meant "they [wikipedia.org] " as in "The Man [wikipedia.org] ," not as in "Carrier IQ [carrieriq.com] ."

Re:Old news (0)

Anonymous Coward | more than 2 years ago | (#38276372)

Video clearly shows it logging every keypress so I guess that fucks up YOUR nice little conspiracy theory.
http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/

Re:Old news (0)

pclminion (145572) | more than 2 years ago | (#38276450)

I have watched the video. I don't see anything at all suspicious about it. Events which occur on your phone are processed and dispatched through some central service, and it's possible to monitor these things as they happen. Wow, that's a shocker.

In other news, the Windows OS intercepts all your keystrokes and processes all your packets. Keep your head down, the sky is falling.

Re:Old news (0)

Anonymous Coward | more than 2 years ago | (#38276470)

The only ones claiming that it's not logging keystrokes are industry flacks. Anyone else can turn on the debugger and see that android calls a carrieriq function with the keycode on every keystroke, just like the videos show.

I'm sure that function is just a NOOP. For now.

I challenge all Slashdotters! (-1)

Anonymous Coward | more than 2 years ago | (#38274018)

Be defeated by my garbage laid to your waste...

Penis Made From Fish Scales! (-1)

Anonymous Coward | more than 2 years ago | (#38274066)

what a world
what a world
what a world

Re:Penis Made From Fish Scales! (-1, Offtopic)

migla (1099771) | more than 2 years ago | (#38274150)

Use a condom. I don't usually condone that sort of thing, since it feels so much nicer without one and fucking is to die for, but if your penis has fish scale-like properties, use a condom. Problem solved. Next.

Re:Penis Made From Fish Scales! (-1, Flamebait)

migla (1099771) | more than 2 years ago | (#38274992)

Off topic? Sure. Good use of mod points? No. You should mod this down too, so you won't go and put your points to any use that matters. Don't worry about me. I'll be excellent.

Don't confuse the masses with legalese please (1)

bogaboga (793279) | more than 2 years ago | (#38274160)

Jon Oberheide, a security researcher who has done a lot of work on Android devices, also analyzed several versions of the Carrier IQ software and found the software has the ability to record some information, but that doesn't mean it's actually doing so.

Can our learned friend Jon elaborate as to whether this is legal under US law? Let him say it is, instead of trying to dampen the outrage surrounding this whole issue. I say this because a further below, he opines by saying the following:

"...the ability to collect such data is a dangerous thing. 'There is a lot of capability to collect sensitive data, which is dangerous in any scenario..."

Key words: "dangerous in any scenario"

There you have it. We surely should expect more from these companies. Someone should go to jail over this.

Re:Don't confuse the masses with legalese please (2)

TimeOut42 (314783) | more than 2 years ago | (#38274504)

Go to jail over what? Nobody has really proved anything. Driving a car is dangerous under any scenario; someone should go to jail over this!

Bottom line, knee jerk report about stuff showing up in the logcat; research done. I didn't see anyone listening on the wire to see what was actually being sent, how it was being sent or give Carrier IQ and the carriers a chance to explain. It was just people with pitchforks and torches.

Re:Don't confuse the masses with legalese please (2, Insightful)

Luckyo (1726890) | more than 2 years ago | (#38274588)

Why does someone "have to go to jail"? Will it fix something? Or is will tickle your sadistic fetish?

We don't live in times when lynching the first black guy who crosses the path of lynch mob was the right way to get justice for rape done by your neighbor, and that's exactly what you're asking for here.

People signed the contract that allowed them to do this. There are no laws that were broken. You and your neighbors elected people who decided that there was nothing illegal about this, as long as they were using it properly, to monitor the status of your phone in relation to their network. So far there has been no evidence of this being untrue. Just because the program gives them the ability to do much more then that doesn't mean it was USED to do much more. This is the argument used to allow us to do things from driving cars to owning guns for fuck's sake. Why does it suddenly become invalid here?

Therefore if someone should "go to jail", perhaps a long look into the mirror is in order?

Re:Don't confuse the masses with legalese please (5, Interesting)

erroneus (253617) | more than 2 years ago | (#38274666)

Actually, the trend of late is to use customers as additional products for sale often without the consent of the customers who are being [ab]used. It may take some doing to get law to reflect the moral problems of this sort of thing, but you can bet if the kind of data they are collecting on others was collected on the perpetrators and made public, it might make a few of them a bit upset to the point to taking legal action. No one want this done to them and especially not the ones doing it. So the morality of all this is certainly not in question. Now we just need some "do unto others" put into law.

Someone needs to go to jail to stop the avalanche of "me-too-ism" on this gold rush to exploit consumers.

Re:Don't confuse the masses with legalese please (1)

cheekyjohnson (1873388) | more than 2 years ago | (#38275538)

You and your neighbors elected people

But what if you didn't?

Re:Don't confuse the masses with legalese please (1)

Luckyo (1726890) | more than 2 years ago | (#38277728)

Then you didn't use your right to vote, or didn't push your opinion around to convince more people that this is wrong, so why are you complaining now? It's with your silent acceptance that they made the laws.

Re:Don't confuse the masses with legalese please (0)

Anonymous Coward | more than 2 years ago | (#38276810)

Python, which comes preloaded on most OSes, also has the capability to collect sensitive data. It can transmit the entire contents of your filesystem to someone else and then delete your copy.

Is that also "dangerous in any scenario?" No, not without completely irresponsibly hysteric hyperbole.

That is why the context of Oberheide's comments matter and why the the specifics of what the software is actually doing isn't "confusing the masses with legalese." Indeed, ignoring those specifics and picking unfortunate choice quotes like "dangerous in any scenario" is a lot more confusing to the masses, because out of context that's just plain wrong. Sorry. You want him to dumb it down and just tell you whether Carrier IQ is benign or malevolent, or legal or illegal, and he's not doing that for you. Tough shit. Deal with it.

Pet Peeve: SEO and URLs. (5, Interesting)

Anonymous Coward | more than 2 years ago | (#38274164)

Something that's been bugging me lately is the recent trend of URLs that are optimized for SEO.

Here are three random articles from the front page of Slashdot, Reuters, and TheStreet.com:

Once upon a time, the important part of the URL - the identifier of 2225202 [slashdot.org] at Slashdot, idUSTRE7B019B20111205 [reuters.com] at Reuters, and 11332765 [thestreet.com] at TheStreet - was all that a potential URL-logger got to see. URLs were not only shorter, they had meaning relevant only to that one particular site's CMS, and it required Yahoo/Google/Bing/government-sized resources to follow every such link and map URLs to content on scales as big as "everyone who uses the WWW".

Except that nowadays, most URLs are rewritten with-redundant-text-for-SEO-purposes. Slashdot's URLs say researchers-say-carrier-iq-isnt-logging-data-texts [slashdot.org] Reuters' URLs say us-russia-election [reuters.com] and TheStreet's URL says its-official-facebook-buys-gowalla-team.html [thestreet.com] .

All of a sudden, if I have access to the URL stream, I can now figure out that you're interested in Carrier IQ's spyware, the Russian elections, and whatever Facebook is up to this week -- with nothing more complicated than "grep".

I'm not advocating tinfoil haberdashery: there's no grand conspiracy of webmasters to make clickstreams greppable. It's merely a regrettable (for end user privacy) side effect of the relentless push towards SEO that organizations like Carrier IQ can get a lot more "interesting" information out of a user's clickstream than they would have been able to do as recently as two years ago.

Re:Pet Peeve: SEO and URLs. (4, Informative)

larry bagina (561269) | more than 2 years ago | (#38274374)

Re:Pet Peeve: SEO and URLs. (2)

discord5 (798235) | more than 2 years ago | (#38274460)

And here I was wondering what he was up to lately...

Re:Pet Peeve: SEO and URLs. (1)

Anonymous Coward | more than 2 years ago | (#38275638)

Mod parent up. I didn't know the text after the article id was arbitrary and ignored.

http://yro.slashdot.org/story/11/12/05/2225202/I-hate-wikileaks-and-am-a-loyal-patriot

Re:Pet Peeve: SEO and URLs. (3, Insightful)

Sarten-X (1102295) | more than 2 years ago | (#38274658)

The descriptive URLs are also more useful for situations where you might be seeing the URL on its own, such as in a message from a friend. A message saying "go check out story 2225202 on Slashdot" is unlikely to get someone's attention, but an address mentioning a specific issue might. In a link to an article on an unknown blog, descriptive words can inspire enough confidence to view the article, rather than lead to the expectation that the mess of numbers to be an obfuscation hiding our dear friend Goatse.

The trend may indeed have its roots in SEO, but I, for one, like it.

Re:Pet Peeve: SEO and URLs. (0)

Anonymous Coward | more than 2 years ago | (#38274838)

*shrug* It's a nearly trivial amount of additional work to grab the title along with the URL, which gives you the same information. This way the links themselves are informative. If you don't want a sniffer to know what you are reading, use HTTPS (if the site offers it; HTTPS Everywhere [eff.org] will use it automatically if it does) or Tor.

Re:Pet Peeve: SEO and URLs. (2)

LordLucless (582312) | more than 2 years ago | (#38275722)

And even before that, back when websites were static things made by hand, URLs were generally human-readable and meaningful. The whole "arbitrary primary key in the URL" was a brief blip due to unsophisticated content management systems. It's not even to do with SEO; ask any consumer of a CMS if they'd rather their customers visit /story/3409u65096890547567 or /story/latest-scandel-breaks. They'll always pick the later. Large, random numbers, to most people, are ugly. If they can hide them away behind something human-readable and friendly, they will. Hence DNS.

Re:Pet Peeve: SEO and URLs. (0)

Anonymous Coward | more than 2 years ago | (#38276092)

Ridiculously long URLs full of words are ugly too, though.

Re:Pet Peeve: SEO and URLs. (2)

Qzukk (229616) | more than 2 years ago | (#38276484)

or /story/latest-scandel-breaks

Spelled that way because latest-scandal-breaks was already taken?

"Isn't" isn't good enough... (0)

Anonymous Coward | more than 2 years ago | (#38274182)

It should be legally prohibited, with severe civil and criminal penalties.

On trusting shit. (5, Insightful)

Hazel Bergeron (2015538) | more than 2 years ago | (#38274200)

If I use any modern mobile 'phone then I assume anything I put on it and where it is can be read by the OS vendor and the carrier. The environment is too tightly controlled and lacking in openness for me to be able to come close to verifying otherwise. We can assume that the facility is only used on rare occasions because one significant revelation of data transmission will put people off buying the product, IOW the only thing keeping anyone safe is the "you're not important enough to matter" card.

But if you're doing anything remotely interesting, whether that's in industry or activism, you'd be a fucking idiot to use the routine features of a smartphone.

Re:On trusting shit. (1)

Anonymous Coward | more than 2 years ago | (#38274376)

No kidding. They control the gateways... They control the connections... They can infer 99% of what you do by the data going thru *gasp* their servers... Anyone who doesnt know this is delusional...

Re:On trusting shit. (1)

bemymonkey (1244086) | more than 2 years ago | (#38277428)

So how do you get around something like this?

I'm already using a prepaid card in a non-carrier-branded smartphone, but I'm sure that prepaid card still gives my provider some level of access to my phone.

Has anyone else considered using an unbranded MiFi-type mobile broadband router in conjunction with VPN via the smartphone, and all communications (IM, E-Mail, VoIP) routed through that VPN? Shouldn't be a lot of snooping possible there, right? With no SIM-Card in the phone (or WiFi-only smartphone-sized device), the carriers shouldn't be able to track anything at all... hopefully...

I don't care if it is harmless (4, Insightful)

Snotman (767894) | more than 2 years ago | (#38274244)

If CarrierIQ is making money from studying my behaviors, then I want a cut or I want to uninstall their craptastic software. I should not be forced to consume software I do not want. If Android wants analytics, then build it into Android OS. My relationship is with my phone manufacturer and the OS manufacturer. I should be able to decide what other relationships I want. CarrierIQ can contact me if they think their software somehow adds value to my experience. Otherwise, do more testing.

Re:I don't care if it is harmless (3, Interesting)

Fnord666 (889225) | more than 2 years ago | (#38274354)

If CarrierIQ is making money from studying my behaviors, then I want a cut or I want to uninstall their craptastic software. I should not be forced to consume software I do not want. If Android wants analytics, then build it into Android OS. My relationship is with my phone manufacturer and the OS manufacturer. I should be able to decide what other relationships I want. CarrierIQ can contact me if they think their software somehow adds value to my experience. Otherwise, do more testing.

Just to be clear, CarrierIQ didn't put the software on your phone. Your mobile phone provider, with whom you do have a relationship, put it there. If you feel that is a violation of said relationship, take it up with them. No one forced your provider to install CarrierIQ.

Re:I don't care if it is harmless (5, Insightful)

icebike (68054) | more than 2 years ago | (#38274626)

No one forced your provider ti install CarrierIQ

And you have not a single shred of leverage to get the carrier to remove it.

Unless and until the hue and cry becomes so loud and congress takes an interest, they will all continue to foist
this stuff on the user, so your threat to take your business elsewhere means nothing.

If you don't object this camel's nose, you'll have the neck and forelegs soon.

CarrierIQ makes its living selling burglar tools. They can't survive without your acquiescence. Your carriers won't help you.

Go Senator Franken!

Re:I don't care if it is harmless (0)

Anonymous Coward | more than 2 years ago | (#38275312)

Ask them to refund your monthly data charge. Claim that CarrierIQ resulted in a 100% bandwidth increase. When they deny it then ask them how much it did use...exactly. It is unlikely they will be able to answer that question so assume it was all.

Re:I don't care if it is harmless (1)

renedox (866133) | more than 2 years ago | (#38275746)

That is assuming you can prove that CarrierIQ is using 100% of your bandwidth. If not, you'll still end up going no where.

Re:I don't care if it is harmless (2)

b4dc0d3r (1268512) | more than 2 years ago | (#38276212)

CarrierIQ makes money if you buy a phone and install a custom kernel - most likely a per-device contract.

CarrierIQ is making money by selling a service that carriers want. To reply to the original:

If Android wants analytics, then build it into Android OS.

Android doesn't, the carrier does, that's why they put it in.

My relationship is with my phone manufacturer and the OS manufacturer.

No, just the phone manufacturer, and only if you bought it directly. If you bought it through the carrier, your only relationship is with the carrier. They build and customize the OS because they can.

I should be able to decide what other relationships I want.

You buy something, sign an agreement, and don't understand all of the implications of the agreement. And blame the other party.

You can't get a closed software phone, or closed anything, and trust anything about it. This has been proven repeatedly, and there are people who investigate everything - from what Microsoft sends with its crash or WGA data, to what Apple stores in its GPS logs.

If you care about your privacy, but you trust closed software until someone else tests it and brings up concerns, you don't deserve your cut of anything.

Your carriers won't help you. Go Senator Franken!

And if you depend on Congress to investigate and change the rules, remember Citizens United. It will only go so far, and it won't protect the next technology company on the next wave of technology. They investigated Apple for GPS logging, it didn't stop this. They investigated Facebook's privacy settings, it didn't stop this. Even if Congress puts a complete halt to this, it won't affect anything that comes next.

If you value privacy, you will not use anything you don't understand completely. Packet captures, wireless dumps, debugging, hell disassemble everything. Either care about it, or accept that everyone is spying on everything you do until you make sure they aren't. If that means coating your house in a Faraday cage so your TV can't be made out, it's up to you to understand that your TV can be viewed through your wall, or don't use a TV.

You can't leave this up to Congress. Talk with your wallet. Cancel your contract AND ACCEPT THE ETF. If you want to fight the fee, good luck in arbitration because you probably agreed to "data collection in support of our network" and "arbitration instead of a lawsuit". And unless you contributed more to a Senator's PAC than the wireless company did, you have a very slim chance of getting results. Franken can make a stick, but he can't change anything unless the majority agrees, and the other chamber. And I guarantee you didn't contribute to every congress person's campaign. Sometimes the system works, but it's rare.

Re:I don't care if it is harmless (1)

mihalisgr (2493310) | more than 2 years ago | (#38277414)

Android doesn't, the carrier does, that's why they put it in.

Whoa, wait a sec. It really bothers me that people suggest (and the article also) that carriers need my DEVICE to send them the info of how I use their service? Don't they have like a log of everything I've ever done with my phone? How do they charge me then? Shall I promise I will be a good boy and not exceed my cheap monthly plan?

Spyware is spyware (0)

Anonymous Coward | more than 2 years ago | (#38276806)

Spyware is spyware, Carrier IQ knew what they were doing when they wrote it. Saying 'blame the carriers' ignores the fact that Carrier IQ salesmen at some point went to the Carrier and said "wouldn't it be great to know exactly what your customers are doing with their phones, where they use it, how they use it, what they run, which videos they play offline".

Carrier IQ were the ones made it not uninstall.
Carrier IQ didn't put the opt in feature in.

Also you are implying the Carriers had agreement to do this from the users, and customers are outraged. But if customers had agreed to this, why are they outraged?? Because they didn't. There was no opt in possible with this, it was placed on their phone and until recently we only found out what it was doing.

Other devices. (0)

Anonymous Coward | more than 2 years ago | (#38274300)

Would Carrier IQ make any sense for other devices like a Kindle? Not phones but still networked. Someone asked me and I had no idea.

Re:Other devices. (1)

TimeOut42 (314783) | more than 2 years ago | (#38274524)

err, Silk.....

Why is CarrierIQ an issue? (1)

Anonymous Coward | more than 2 years ago | (#38274318)

If someone at the carrier wants to record every SMS, phone call, or conversation then he or she has much simpler ways to accomplish the task. The carrier sees every exchange through its own equipment and could simply log the exchange in the network - at the network switch or cell site. Why is an application installed at the endpoint something especially sinister?

Re:Why is CarrierIQ an issue? (1)

Stumbles (602007) | more than 2 years ago | (#38274440)

That's a good question. My tinfoil hat says the government is involved with CarrierIQ and all this hoopla is simply a diversion.

Re:Why is CarrierIQ an issue? (1)

TimeOut42 (314783) | more than 2 years ago | (#38274532)

So do those 3rd party SMS apps, email clients, dialers, etc. This is strange or unusual; it just got a lot of press.

Re:Why is CarrierIQ an issue? (5, Informative)

Bill Dimm (463823) | more than 2 years ago | (#38274562)

According to this video [wired.com] Carrier IQ has the ability to capture URLs that are entered, including HTTPS URLs. When a browser makes a secure connection (HTTPS), the URL is encrypted before the browser transmits it to the target webserver to protect any sensitive information it may contain. So the carrier would not be able to log such URLs through their equipment -- Carrier IQ allows them to do it by intercepting before encryption is applied.

Re:Why is CarrierIQ an issue? (-1, Troll)

TimeOut42 (314783) | more than 2 years ago | (#38274728)

The URL is not encrypted when it travels over SSL (https), nether is anything on the request string. So, if you ever see something https://myfavoritebankingsite.com?username=sillyperson&password=1234 [myfavorite...ngsite.com] then you need to know that the username and password are sent in the 'clear'. Just to be clear, I mean unencrypted.

If the URL was encrypted then the packet would have to wander across the entire network hoping to find its destination.

Re:Why is CarrierIQ an issue? (1)

Anonymous Coward | more than 2 years ago | (#38274804)

Totally wrong. Only the IP address and hostname are transmitted in clear. Everything else in the request (resource name, any other headers, etc) are encrypted.

Re:Why is CarrierIQ an issue? (1)

Bill Dimm (463823) | more than 2 years ago | (#38274824)

incorred [stackoverflow.com]

Re:Why is CarrierIQ an issue? (1)

Bill Dimm (463823) | more than 2 years ago | (#38275266)

Ugh. That's "incorrect" not "incorred"

Re:Why is CarrierIQ an issue? (1)

Anonymous Coward | more than 2 years ago | (#38274860)

What? That's not true, you're mixing the URL with the packet destination address. The IP addresses are not encrypted so people see that you visited 66.220.149.11:80, but they don't see that you visited https://facebook.com/randomuserpage.

Re:Why is CarrierIQ an issue? (0)

Anonymous Coward | more than 2 years ago | (#38275184)

You mean that the carrier sees that your going to 66.220.149.11:443 from there they can extrapolate the host name based on your previous dns request.
This is the method barracuda web filters use to do https filtering.

Re:Why is CarrierIQ an issue? (1)

Vegemeister (1259976) | more than 2 years ago | (#38276678)

How do they handle DNS caches?

Re:Why is CarrierIQ an issue? (1)

AHuxley (892839) | more than 2 years ago | (#38276336)

Think of it as a form of digital Tempest. Long range your https is safe.
But like the electronic devices of the 1950's if your close, you get plain text.
Every key you press is noted before the https is sent.
So all the data is safe online, the math "workers" at teclos can tell the world the encryption they sell is "safe"
But the plain text is still wide open :)

They may not be (1)

Stumbles (602007) | more than 2 years ago | (#38274426)

but those carriers that installed it on cell phones just might be.

seriously (4, Insightful)

viperidaenz (2515578) | more than 2 years ago | (#38274444)

Why do people try and point a finger at CarrierIQ? Do you blame Smith & Western every time someone gets shot? Do you blame Volvo when someone steps in front of one of their busses? Do you blame Jack Daniels when someone drinks themself to death? If anyone wants to do any finger pointing it should be at the one responsible for installing and configuring the software - the carriers themselves.

Re:seriously (1)

Luckyo (1726890) | more than 2 years ago | (#38274638)

Smith&Wesson and amen.

Re:seriously (2)

confused one (671304) | more than 2 years ago | (#38275268)

Damn. It's almost like you planned it... I'm certain S&W has been sued over use of their guns. Volvo... Look up European regulations requiring manufacturers to make their cars and trucks safer to pedestrians. Jack Daniels has been sued by the families of alcoholics. So, apparently, people do blame the vendor for irresponsible use of their products even if it is outside of the vendor's control or the intended use of the product.

Re:seriously (1)

viperidaenz (2515578) | more than 2 years ago | (#38275514)

Just because people blame vendors for irresponsible use of their products doesn't make it right

Re:seriously (0)

Anonymous Coward | more than 2 years ago | (#38276062)

If someone inserted a S&W in my phone I'd LOVE my phone even more. I'd take the S&W out and fondle it and call it George.

I miss Sledge Hammer

Re:seriously (2)

Vegemeister (1259976) | more than 2 years ago | (#38276686)

Because there are no legitimate uses of this software. And no, data mining is not legitimate.

Re:seriously (1)

viperidaenz (2515578) | more than 2 years ago | (#38276818)

What if I was a company that supplied a phone to my employees on the strict conditions that it be used only for business purposes and notified them that use of it is monitored for compliance? Also, if CarrierIQ didn't provide such software, don't you think the carriers wouldn't write their own? Better to have one piece of software that is removable than n different pieces of software developed by each carrier that probably aren't tested as well and can't be removed or as easily detected. Since they provide the firmware there isn't anything stopping them completely integrating it with the OS.

"Currently" ! (1)

bell.colin (1720616) | more than 2 years ago | (#38274684)

"but as it's currently deployed by carriers it doesn't have the ability to record SMS messages, phone calls or keystrokes."

"Currently" is the key word here and is subject to change over time!

Nature of the install (4, Insightful)

wickerprints (1094741) | more than 2 years ago | (#38274974)

As usual, the crux of the matter has to do with TRANSPARENCY and CONSUMER CONSENT. The question of whether or not CarrierIQ is actually capturing user behavior through the software is important, but actually secondary to the fact that the carriers themselves do not TELL the consumer that (1) we've installed this logging software on your device; (2) it is not possible through normal means to deactivate it; (3) this software runs without any disclosure or agreement in your contract; (4) this software runs on your device even if you are no longer under contract or even subscribed as our customer; and (5) this software is not an integrated component of the device's operating system.

And why don't they tell you these things? Because they can get away with it. The fact that this software is so hidden from the user, and is NEVER mentioned in any of the legal documentation you are asked to sign, is all the reason why the consumer cannot and should not be expected to simply take either the mobile network operator or CarrierIQ at their word when they say they're not tracking personally identifiable information. Yes, researchers have chimed in with their findings. But such broad, unregulated, and pervasive tools as CarrierIQ have enormous potential for abuse, and it is simply unacceptable to allow these companies to just chalk it up to "sorry we kept this a secret from you, but TRUST US, it's all perfectly innocent." Yeah, bullshit. If it were truly so innocuous, why did you go through such lengths to hide it and make it difficult to disable or remove?

Re:Nature of the install (1)

Anonymous Coward | more than 2 years ago | (#38275840)

"If it were truly so innocuous, why did you go through such lengths to hide it and make it difficult to disable or remove?"

Because people like you would disable it and then complain that they have had 15 dropped calls in the last couple of days and make forum posts about how awful X carrier is when it could have been fixed relatively easy via anonymous data statistics (which, contrary to what everyone thinks, is all the carriers are PAYING for with CIQ).

I agree that CIQ should be stripped down to the point where the only features even possible are anonymous network features but I do believe it is something every carrier should have and we'll all be worse off if carriers start dropping CIQ from their builds. It has been rather hilarious to see people who know next to nothing beat their proverbial war drums over this whole non-issue though.

Re:Nature of the install (2)

b4dc0d3r (1268512) | more than 2 years ago | (#38276298)

If you read your contract, you agreed. And, they can already see nearly everything anyway. If you bought the phone directly and not through a carrier, you probably have a valid legal situation, but they most likely don't install CARRIERIQ on a direct purchased phone. And as for the post-termination data collection, I haven't seen anything showing the data is sent anywhere after the contract is terminated, or in fact any actual packet capture of any data sent - only internal events being fired.

Every text you send, they already have because they have to send it. Every non-encrypted request, they have the full URL If you're counting on SSL to protect you, consider SSL and TLS 1.0 plaintext [computerweekly.com]

If you start a proprietary app like Yelp or Shazam, you have no guarantee they are using any encryption, and should assume everything is being seen by your carrier.

Their disclosure should read, very simply, we are going to know everything you do because it's going over our network. But that would freak people out, so they don't.

Carrier IQ allows a higher level of detail, but it has not been proven to send anything but aggregate statistics which legitimately could help your carrier isolate problems without people having to call. The only concern I have is that the captured events might be a target for malware.

They don't want users uninstalling it because it's useful information.

If you want full disclosure, you're going to have to build the kernel yourself, and read every line of the code, or disassemble it. Otherwise, read every line of your contract and assume the most lenient interpretation.

Short version: do not buy a subsidized phone.

They have your consent next time, at least (0)

Anonymous Coward | more than 2 years ago | (#38276730)

For everyone, there's always a first time. For you it happens to be now. Your outrage is understandable and justified.

But now you know that almost all computers come with malware of some kind preloaded, and that it is especially expected when purchased from ISPs. If you buy another one tomorrow, knowing and expecting this, will it still be without consent?

Fool me twice, shame on me.

Re:Nature of the install (1)

thsths (31372) | more than 2 years ago | (#38277118)

> The fact that this software is so hidden from the user,

Exactly - this is a clandestine operation, and CarrierIQ has taken several steps to try to keep it such. "If you haven't done anything wrong, you don't mind being found out, hm?" Unfortunately CarrierIQ has all the hallmarks of something fishy going on.

And here comes the good part: the customer (we) have the right to go just with a rumour and vote with our feet. We need no investigate, no due process, no shred of tangible evidence. A suspicion is enough to change our behaviour, and there is nothing they can do. We have the power.

(And I'll better stop here before I write "We are the 99%.")

Intelligence Everywhere (5, Interesting)

clonehappy (655530) | more than 2 years ago | (#38275298)

Here's the thing. I think this whole CarrierIQ debacle is being played up in the media for exactly the reason stated in the title, because it ISN'T logging data, texts. It really isn't sending your data back to the carrier, government, or whomever. What it does, is far beyond the understanding of the average consumer of the nightly news. So the media will trot out the experts who say, "This software does not send your data back to the carrier, it just hooks the keyboard for diagnostic purposes at a level beneath the userland of the Android operating system."

And, whoosh.

In the minds of the masses, it was harmless.

But it isn't harmless. The software certainly has the capability of monitoring/logging/reporting every keypress on the phone and sending it to whomever it's configured to send it to. No one outside the "slashdot-esque" crowd knows much about rootkits, system hooks, etc. etc., however. But now, whenever someone mentions the fact that phones are spying on you, everyone can come out and say "No, they're not. Didn't you hear? CarrierIQ was harmless. You're a tinfoil-hat nutter!" Even though they still will be monitoring everyone, either through this method, ones hidden better, at the switching center, or voluntarily (Facebook, etc.) And it'll be business as usual.

Right now, you can be pretty certain your phone isn't doing any real, wholesale spying, since to transport that amount of voice/video, or whatever type of data will kill your connection and drain your battery faster than you can say "fourth amendment" (until you connect to wi-fi, of course). The real trojan horses are the 4G networks. Especially once LTE connections are the norm, it will be trivial to log a tremendous amount of real-time "intelligence" (because that's exactly what these phones are, intelligence gathering tools) and quickly whisk it up to whomever wants to see your data without you noticing. I'm sure it'll be as simple as someone in a spook hideout pressing a button and, voila, the 4G network is providing them a real-time peek and listen into your life.

They're not kidding: Intelligence Everywhere! [blogspot.com]

Re:The boy who cried wolf (1)

b4dc0d3r (1268512) | more than 2 years ago | (#38276334)

We never saw data leave the device. Simple. Don't trust anything, and prove data being sent with actual packet captures. Echkart's video shows events being caught, nothing more, as you pointed out. If someone says the next wave is harmless, it is simple to demonstrate that it's not. Explain it with as few syllables as possible with a video that anyone could reproduce. Get the word out right now that Eckhart's vieo is misleading, even if people don't understand exactly why.

Distrust everything, even security researchers. Double check their results yourself, especially if their conclusions follow from the data.

Re:The boy who cried wolf (1)

Vegemeister (1259976) | more than 2 years ago | (#38276728)

Holding data and sending it later when the transmission would not seem out of place is trivial. It is possible to discover spyware through packet-sniffing, but quite impossible to certify that spyware does not exist on a system. (This is why people who do anything but reformat and restore from backup in case of security breaches or virus infections are idiots.)

Lack of responsibility or accountability. (1)

gstrickler (920733) | more than 2 years ago | (#38275346)

CarrierIQ claiming the responsibility is all on the carriers is a bit of a stretch. It's like a lock manufacturer giving your home builder (or mortgage company) a key to your house, then trying to claim they have no responsibility for how the home builder (or mortgage company) uses that key. Claiming "we didn't know they were going to rob or rape you" doesn't really absolve them of responsibility or liability.

*Newsflash* Email is unsecure. (1)

aristotle-dude (626586) | more than 2 years ago | (#38275702)

Every email that you send whether encrypted or not travels through multiple servers on the internet and is stored, at least temporarily on each of those servers as it routes through the internet.

If you are concerned about privacy, you should not divulge sensitive information on the internet or use encrypted email and/or more secure point to point protocols.

The stark reality however, is that nobody is interested in spying on boring ordinary people never mind that spying on everyone would be prohibitively expensive and a logistical nightmare.

What is Carrier IQ for? (2)

microphage (2429016) | more than 2 years ago | (#38275910)

"United States Patent US 7,551,922 B2 Jun. 23, 2009"

"tracks the data collection activity occurring on the devices and maintains detailed information about the specific data collection profiles that are active on the devices .. The queries may be structured in such a way that performance information is gathered about the effect of a simple activity, such as a button press by the user, or information may be gathered about more complex transactions" link [google.com]

Re:What is Carrier IQ for? (1)

b4dc0d3r (1268512) | more than 2 years ago | (#38276358)

So it's a framework for capturing what the carrier configures it to capture. What's important is, what does the carrier want to capture? If anyone gives a fat damn, we need to know how to get the configuration. Even if that means disassembling the code because configuration is done at compile time. Each carrier will be different, and I'm pretty sure each device could be different.

The patent tells us nothing.

This isn't a rebuttal (4, Insightful)

izomiac (815208) | more than 2 years ago | (#38275954)

Here's a quick summary regarding keystroke logging made by the two recent articles:

Original video [youtube.com] that demonstrated CarrierIQ logging keystrokes. I.e. not a theoretic capability, nor a risk, but actual entries into the system log. This was performed on an stock HTC Evo 3D.

This article is asserting that CarrierIQ does not contain the necessary hooks for keystroke logging on the Samsung Epic 4G Touch.

IOW, the two articles are not making the same claim. It is already known that different phones have different versions of CarrierIQ. This article isn't claiming that no phone has the capability to log keystrokes, merely that the Epic does not. The original article wasn't claiming that all phones are logging keystrokes, merely that the Evo is. Methinks someone is trying to manipulate public opinion, as the original video is surprisingly difficult to find, and this article's claims were immediately exaggerated and that version of the story was popularized.

Re:This isn't a rebuttal (1)

AHuxley (892839) | more than 2 years ago | (#38276402)

Have a search for 3G modems ;)

Just a thought (1)

atouk (1336461) | more than 2 years ago | (#38276414)

Forgetting about the argument if the OS being owned or licensed by the phone owner, the actual hardware is owned by the user. And even assuming that the cell providers were complicant in installing the software... Any software installed without the consent or knowledge of the user is using processor resources. Would the use of use of clock cycles without permission be considered theft of services? Before laughing, too hard, imagine what would happen if someone broke into any corporate computer in the world and was running processes without consent. The scale of the hardware isn't relevent. The face that someone bought a piece of hardware with certain advertised specs, but was denied 100% access to them because a third party unknowingly was hijacking a certain percentage of them for it's own uses.

Not the point (2)

Casandro (751346) | more than 2 years ago | (#38276834)

The point is that if I buy a computer, I should do exactly what I want it to do. Installing any sort of software which I don't want for any reason is a step in the wrong direction.

Seriously, we need to get the operators and the hardware companies out of the software loop. I get my software from one place, the hardware from another and the wireless service comes from a third.

WHO CARES??? (0)

Anonymous Coward | more than 2 years ago | (#38277502)

Why should I care about what CarrierIQ does or does not after I switched to a phone that doesn't have CarrierIQ?

This story is my favorite butthurt story so far and I really enjoy it seeing CarrierIQ fail, even though I do not care what CarrierIQ does or does not. My time is too precious for that.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>