Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Carrier IQ Responds To FBI Drama, EFF Wants More Information

Soulskill posted more than 2 years ago | from the it-was-the-one-armed-logging-software dept.

Android 140

New submitter realized writes "Yesterday Carrier IQ released a report (PDF) which tries to answer some questions about how their system operates. Also, after reports of the FBI using Carrier IQ data, the company responded by saying, 'Carrier IQ has never provided any data to the FBI. If approached by a law enforcement agency, we would refer them to the network operators.' Additionally, the EFF just released a report which says they believe keystroke data 'is in fact being inadvertently transmitted to some third parties,' but they would like to study carrier profiles to verify information." Reader Trailrunner7 adds that Carrier IQ's report indicates "under some limited circumstances its software will log the contents of SMS messages sent to a user's phone, but that that the contents of those messages would not be human readable. Instead, they would be in an encoded form that could not be decoded without special software and the carriers don't have access to the contents of the messages either. The company said it has worked on a fix for the bug, which affected devices running the embedded version of the Carrier IQ agent."

cancel ×

140 comments

Sorry! There are no comments related to the filter you selected.

Note (-1)

Anonymous Coward | more than 2 years ago | (#38364538)

the silent shuffle from AT&T in all this.

A Little Help Please? (0, Offtopic)

LifesABeach (234436) | more than 2 years ago | (#38364598)

I've got the iPhone, how do I crib smother this Carrier IQ parasite?

Re:A Little Help Please? (0)

Anonymous Coward | more than 2 years ago | (#38364636)

From what I understand, and people should feel free to correct me, the iPhone grabs very little information. With that said I think it's very easy to disable, simply go to settings > about and turn off diagnostics and usage.

Re:A Little Help Please? (3, Informative)

Anonymous Coward | more than 2 years ago | (#38364874)

True. Here's the strange thing, though. Apple's statement was: "We stopped supporting Carrier IQ with iOS 5 in most of our products, and we're going to remove it completely in a future software update." Not particularly clear. On followup, that was narrowed down to the iPhone 4 with iOS 5 still has carrier IQ (and Verizon doesn't use carrier IQ, so it might be ATT iPhones only). Either way, carrier IQ wasn't doing keystroke logging or any of the other strange shit.

Re:A Little Help Please? (3, Funny)

VortexCortex (1117377) | more than 2 years ago | (#38364656)

Install gentoo.

Re:A Little Help Please? (1)

LifesABeach (234436) | more than 2 years ago | (#38365256)

I weep with envy. I'm hoping someone has an app for eradicating this Carrier "Room Temperature" IQ.

Re:A Little Help Please? (0)

Anonymous Coward | more than 2 years ago | (#38365334)

Go back to /g/.

Re:A Little Help Please? (1, Informative)

Anonymous Coward | more than 2 years ago | (#38364670)

Step 1: Buy an Android phone
Step 2: Run one of the numerous CIQ detection apps
Step 3: If found, install an AOSP ROM like CM7

Re:A Little Help Please? (3, Informative)

PNutts (199112) | more than 2 years ago | (#38364730)

Step 1: Buy an Android phone
Step 2: Run one of the numerous CIQ detection apps
Step 3: If found, install an AOSP ROM like CM7

Yes, much simpler than turning off a single option in the iPhone's preferences (after you've turned it on because it's off by default). Or don't turn it off because you can see what it sends in clear text and it doesn't log anything except diagnostic information.

Re:A Little Help Please? (1, Troll)

bruno.fatia (989391) | more than 2 years ago | (#38365088)

Do you really trust this company that their software will indeed work as informed (sending ONLY if allowed, not logging user habits, etc)? After numerous times saying that their software is harmless to the users and each and everyday being proven wrong by security specialists I wouldn't trust it even with these settings turned off.

Re:A Little Help Please? (2, Informative)

Anonymous Coward | more than 2 years ago | (#38365366)

Well, security researches have shown that on the iPhone it does in fact start up, check the user's option to have it enabled (which is off by default), then exit immediately if it is disabled.

With the fact that Apple is very open about how it gets turned on, leaves it disabled by default and even makes you accept a new privacy policy to enable it, and all of that has not been disputed by researchers, I will say "Yes, I can trust them"

Enjoy your spyware riddled Android device.

Re:A Little Help Please? (2, Funny)

Anonymous Coward | more than 2 years ago | (#38365932)

And by spyware riddled you mean perfectly clean, I suppose. Small typo.

Re:A Little Help Please? (4, Insightful)

RubberMallet (2499906) | more than 2 years ago | (#38367118)

There's nothing to turn off on my Android... CarrierIQ isn't even installed... wasn't installed from the beginning. So.. who has the spyware riddle device now? The iPhone which actually has the software installed, or the Android where it isn't? Hmmmmm

Re:A Little Help Please? (1)

currently_awake (1248758) | more than 2 years ago | (#38365466)

If it's a troubleshooting tool then it would benefit from remote activation. If it's a spy tool then it needs remote activation. Removing the software isn't the same as not having it (currently) running.

Re:A Little Help Please? (0)

Anonymous Coward | more than 2 years ago | (#38366194)

I don't mean to point out the obvious here, but regardless if you root your phone, delete every "tracking" file on the device, the carrier can still do whatever they want. The point behind most of the Carrier IQ text files on the phone are to send networking reports on spotty coverage, no one seems to believe that, they just hear what the full capabilities of it are even if they aren't setup that way. With first hand experience with what carrier's can see they sure as heck don't need a text file on a phone to track anything.

Re:A Little Help Please? (4, Insightful)

KahabutDieDrake (1515139) | more than 2 years ago | (#38366430)

This seems to be the point everyone is missing in all this. The carrier doesn't need spyware to spy on you, THEY ALREADY SEE ALL YOUR STUFF IN PLAIN TEXT. It's not like ATT needs a warrant to open up their own network and take a look around. Nor does verizon need federal permission to log, through their data proxy, every address you ever visit, for how long and using what protocols. In point of fact, current federal law requires these companies to store this information, for a very long time.

What exactly do people think CIQ can tell the carrier that they don't already know? The pathetic answer is, real world network performance diagnostic data. Which is just about the ONLY thing the carrier doesn't already know about your handset.

Re:A Little Help Please? (2)

Stalks (802193) | more than 2 years ago | (#38367246)

Actually its easier than this.

Step 1: Buy an Android Phone

Don't buy it from a carrier and it doesn't have this crud installed.

Re:A Little Help Please? (4, Insightful)

shutdown -p now (807394) | more than 2 years ago | (#38366924)

Step 1: Buy a Nexus phone.
There is no step two.

FTFY.

Re:A Little Help Please? (0, Troll)

DewDude (537374) | more than 2 years ago | (#38364692)

Apple doesn't need Carrier IQ to keep up with you....the first time you picked one up it injected tiny nanobots that multiplied inside your body...connecting to and learning to interpret the synapses in your brain....although they likely don't do anything except turn you in to another Apple-loving drone.

Re:A Little Help Please? (1)

LifesABeach (234436) | more than 2 years ago | (#38365312)

Someone with a need to use Carrier "V.P.Chainey" IQ sure hates folks that disagree. Hate is not a Bestiality Value.

Re:A Little Help Please? (2)

LifesABeach (234436) | more than 2 years ago | (#38365336)

I don't think your comment is Flamebait, unless the Mod'er is racist against Nanobots?

Re:A Little Help Please? (3, Informative)

andydread (758754) | more than 2 years ago | (#38364784)

Install Cyanogen Mod.

Re:A Little Help Please? (0)

Anonymous Coward | more than 2 years ago | (#38365520)

I'd do it in a heartbeat if they supported my Galaxy S 4G.

Re:A Little Help Please? (1)

schwit1 (797399) | more than 2 years ago | (#38365826)

Why buy an Android that's not supported by CyanogenMod?

Re:A Little Help Please? (4, Informative)

Anonymous Coward | more than 2 years ago | (#38364786)

Apple has said that they are almost done using Carrier IQ for other methods of data collection.
http://allthingsd.com/20111201/apple-we-stopped-supporting-carrieriq-with-ios-5/

The quote is:
“We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.”

And for the Fanboys out there I say Other methods since they will still get "diagnostic data sent to them".

Re:A Little Help Please? (3, Insightful)

jesseck (942036) | more than 2 years ago | (#38364866)

That just means they have a replacement that will do the same.

Not too suprised here... (2)

zman58 (1753390) | more than 2 years ago | (#38364964)

I would not be surprised if any cell phone, even the dumb ones, could be remotely enabled to log keys and other private information at the drop of a hat with order from proper authority. I could see the big corporations and government interesting lying somewhere along the lines of "The technology is capable of it, why not include the feature for the sake of public "security"? Same goes for any of the cloud connected network devices, such as the Kindle. Remember, when you are in the cloud you are in another parties home, running on their network under their control. Do you trust them with your private information? You better read *all* of the fine print before agreeing to it and using their services. Even then, can you really *trust* them?? What can't they tell or reveal to you because their mouths are zipped with all of the blessings of the US government?
"Show me the source code, and let me rebuild it" is the only way to be sure. To be sure you, or someone else who you trust, need to be able to inspect it and reconstruct it to confirm that is does what you want it to do and does not do what you don't want it to do.

Such as in the case of using the GPL. This is why the GPL rules when it comes to privacy and controlling the technology you use. Proprietary solutions, such as found in today's smart phones, are very risky because you have no way of knowing the full extent of what harmful things they can actually do.

Re:Not too suprised here... (2)

thestuckmud (955767) | more than 2 years ago | (#38365860)

"Show me the source code, and let me rebuild it" is the only way to be sure.

Are you certain? Really? [wikipedia.org]

Re:A Little Help Please? (5, Insightful)

Black Parrot (19622) | more than 2 years ago | (#38365308)

I've got the iPhone, how do I crib smother this Carrier IQ parasite?

Next time you drive across a bridge, toss it out the window.

Re:A Little Help Please? (1)

abhi_beckert (785219) | more than 2 years ago | (#38365554)

When it asks you if you want to send diagnostics. Say no.

If you were stupid enough to say yes in the past, you can change it in settings -> general -> about -> diagnostics.

The more you know... (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38364604)

http://en.wikipedia.org/wiki/COINTELPRO [wikipedia.org]
http://en.wikipedia.org/wiki/Citizens'_Commission_to_Investigate_the_FBI [wikipedia.org]

I suspect COINTELPRO has been updated and perfected by now.

Re:The more you know... (5, Insightful)

cosm (1072588) | more than 2 years ago | (#38364712)

And we give you more shiny toys...
All the better to track you my dearie!

And we give you better airport security...
All the better to control you my dearie!

And we give you more in store free membership cards...
All the better to know your every purchasing move my dearie!

And we give you more places to report SSNs...
All for the illusion of importance and identification my dearie

And we give you traffic and overhead cameras...
All the better to make sure your driving safe dearie!

And we give you more more social networks...
All the better to keep you and our friends close, so we can keep you our enemy closer!

And we give you internet shaping and monitoring...
All the better to provide better content delivery my dearie!

And we give you more child porn laws and content ratings...
All the better to protect your eyes my dearie!

And we give you more drug laws and consensual restrictions...
All the better to keep you safe my dearie!

And we invade other countries and install governments...
All the better to ensure your security my dearie!

And I give you the slow erosion of all that is personal responsibility, hard work, civil liberties, freedoms, independence, free speech, and everything America ever once strived at standing for...
All the better to own you my dearie!

Re:The more you know... (2)

Tooke (1961582) | more than 2 years ago | (#38366506)

All the better to make sure your driving safe dearie!

And we give you apostrophes for clearer communication... Dearie.

Why? (0)

Anonymous Coward | more than 2 years ago | (#38364606)

Why do they feel the need to include shit like this? God damn it I hate big corporations.

Re:Why? (2)

zman58 (1753390) | more than 2 years ago | (#38364836)

You probably gave them your blessings in the user and/or license agreement in one way or another. Not that you would actually understand what you gave up--they would not want that. It's all in the fine print, buried in the legal-eeze. You need a lawyer anymore when you purchase a simple gadget if you really want to understand what it means for you to have it in your possession.

"A fix for the bug"? (4, Insightful)

T5 (308759) | more than 2 years ago | (#38364610)

The fix is to not install spyware on the phones in the first place. How hard is this to understand?

Re:"A fix for the bug"? (4, Insightful)

Sponge Bath (413667) | more than 2 years ago | (#38364646)

It is well understood, but perceived to be less profitable so is dismissed as an option. Same as it ever was.

Re:"A fix for the bug"? (1)

Anonymous Coward | more than 2 years ago | (#38364828)

Corporations are Psychopaths [wikipedia.org] .

They don't care about things like decency, privacy, or human dignity.
They do care about things like making a profit.

The only (read: ONLY) method to modify the behavior of a corporation is to make a given action non-profitable.

The government is truly missing a serious opportunity here. It is cash strapped. And corporations need to be brought into line.
Fuck taxes that the corporations will avoid anyway; add an intensifier for all fines payable by corporate entities.

Re:"A fix for the bug"? (1)

ThePeices (635180) | more than 2 years ago | (#38365194)

A corporation is NOT a psychopath.

Corporations are not humans. They are companies.

Re:"A fix for the bug"? (4, Insightful)

MightyMartian (840721) | more than 2 years ago | (#38365370)

Corporations are not humans. They are companies

.. run by psychopaths.

Re:"A fix for the bug"? (0)

Anonymous Coward | more than 2 years ago | (#38366266)

Corporations are not humans. They are companies.

The supreme court (wrongly) disagrees with your statement.

All hail our new commander in chief and Dear Leader, President wall-mart! http://tinypic.com/view.php?pic=smcz&s=5

Re:"A fix for the bug"? (4, Funny)

advocate_one (662832) | more than 2 years ago | (#38367212)

Corporations are not humans. They are companies.

The supreme court (wrongly) disagrees with your statement.

I'll believe in corporations having personhood when Texas executes one...

Re:"A fix for the bug"? (1, Interesting)

artor3 (1344997) | more than 2 years ago | (#38365284)

It's not spyware. Carriers want info on how people use their phones so that they can fix bugs and make better phones. It's no different from software that occasionally reports home with usage statistics. Everyone does it, and it's a good thing. The only problem is that a few OEMs and carriers disabled the user's ability to opt out.

CarrierIQ makes a legal, useful, morally-sound product. Some companies go on to use that product in a legal, useful, but less moral manner. But some asshole of a security researcher figured out (correctly!) that he'd get way more hits on his webpage if he accused them of making a rootkit and keylogger. And now all the innocent, hardworking developers at this small business will be out on the streets, because the rage-a-holics want something to scream about, and the media is more than happy to manufacture controversy if it means good ratings.

So congrats. You're going to destroy the lives of some innocent people over the tiniest of slights. I'm sure you're very proud.

Re:"A fix for the bug"? (4, Insightful)

Rennt (582550) | more than 2 years ago | (#38365710)

Legal, useful, and morally-sound? Yeah, that doesn't sound like a paid comment. It IS a rootkit, by definition (does it hide from your process list, can you remove it?). The EFF thinks it HAS been used as a keylogger, even if unintentionally. No matter what the customer agreed this functionality is morally reprehensible. If anything, the carriers deserve some credit for showing restraint in the use of this application, but CarrierIQ itself deserves all the criticism it is getting.

Re:"A fix for the bug"? (5, Insightful)

Wolfier (94144) | more than 2 years ago | (#38366056)

It's not spyware. Carriers want info on how people use their phones so that they can fix bugs and make better phones. It's no different from software that occasionally reports home with usage statistics. Everyone does it, and it's a good thing. The only problem is that a few OEMs and carriers disabled the user's ability to opt out.

CarrierIQ makes a legal, useful, morally-sound product. Some companies go on to use that product in a legal, useful, but less moral manner. But some asshole of a security researcher figured out (correctly!) that he'd get way more hits on his webpage if he accused them of making a rootkit and keylogger. And now all the innocent, hardworking developers at this small business will be out on the streets, because the rage-a-holics want something to scream about, and the media is more than happy to manufacture controversy if it means good ratings.

So congrats. You're going to destroy the lives of some innocent people over the tiniest of slights. I'm sure you're very proud.

Not so fast. I suspect if CarrierIQ didn't attempt to SLAPP the researcher, none of its PR disaster would have happened.
Don't act as if CarrierIQ is totally in the right, because it is not. The moment they decided to unleash a lawyer first, and then an honest disclosure when necessary, their fate was sealed.

Re:"A fix for the bug"? (1)

cHiphead (17854) | more than 2 years ago | (#38367592)

Its pretty obvious what's going on, CIQ is essentially an NSA (or other intelligence sponsored) front that can be used for, apparently, an insane amount of intelligence gathering with minimal need to work with different providers and other corporations at the same time. Makes perfect sense from their intelligence perspective to have that extra 'last mile' intelligence capability on individual cell phones. They're also playing it smart by letting CIQ pretend to be 'open' to discussion and pushing a network diagnostics angle to throw off the scent of any nefarious activity. Years ago, I would've assumed my own view on this is conspiracy bullshit, but it makes sense from an intelligence gathering standpoint. Hell of an idea though. Also, if they AREN'T using CIQ for this, that's just outright incompetence on their part, whoever is in charge of doing stuff that improves their creation of a controlled populace police state will probably get demoted or fired.

Re:"A fix for the bug"? (1)

houghi (78078) | more than 2 years ago | (#38367006)

The only problem is that a few OEMs and carriers disabled the user's ability to opt out.

It starts earlier. The standard option should be opt-out. In fact anything and everything should be opt-out by default.

Re:"A fix for the bug"? (0)

Anonymous Coward | more than 2 years ago | (#38367386)

"You're going to destroy the lives of some innocent people" - the employees.

That's a dumb argument.

What am I gonna do now, I shouldn't wish for corrupt govt to lose their jobs and end up in jail because they have kids !?

and so on..

my govt killed innocent people, is starving 20 mil people right now, is literally selling my country piece by piece, etc etc (oh, that's Romania btw)...

Re:"A fix for the bug"? (3, Insightful)

L4t3r4lu5 (1216702) | more than 2 years ago | (#38367468)

It's no different from software that occasionally reports home with usage statistics.

The difference here is that I wasn't asked if I wanted to provide usage statistics, didn't even know that such statistics were being created, and the data being collected goes way beyond that which would be useful to any developer. Why would they need to know the content of my SMS messages to make a better app? Why do they need to know who I called and when, not just that a call was made?

This is just too invasive. If they made it so it reported the most basic, anonymised stats there wouldn't be a problem. What they have done, however, is load devices which potentially contain sensitive personal data with remote monitoring software, with access to communications made on that device. It's too much, and they need to be called out on it.

No secret decoder ring here! (5, Interesting)

undeadbill (2490070) | more than 2 years ago | (#38364644)

Instead, they would be in an encoded form that could not be decoded without special software and the carriers don't have access to the contents of the messages either.

Yeah, first they say they don't sniff your traffic, then they say this, then that, then they pull the "not without our secret magic decoder ring" argument. If they are working with government agencies to use this software (and it may not be the FBI), they wouldn't even have the ability to admit to it- those kinds of agreements require the company to deny everything in perpetuity.

First thing this new year, I'm migrating my phone over to cyanogenmod. I'd do it now, but I just don't have the time.

Re:No secret decoder ring here! (1)

msauve (701917) | more than 2 years ago | (#38364772)

""not without our secret magic decoder ring"

Everything is encoded with ROT-13. What's the problem?

Re:No secret decoder ring here! (2)

davester666 (731373) | more than 2 years ago | (#38364924)

Or the doubly-secure ROT-26!

Re:No secret decoder ring here! (3, Funny)

VortexCortex (1117377) | more than 2 years ago | (#38365126)

Actually, you're almost there. The most secure encryption is to simply XOR each byte with itself.

Re:No secret decoder ring here! (0)

Anonymous Coward | more than 2 years ago | (#38365846)

That works amazingly well, and has the benefit that your secret files compress really well too with winzip!

Re:No secret decoder ring here! (1)

Anonymous Coward | more than 2 years ago | (#38367362)

That's not encryption, that's a hash with infinite collisions;))

Re:No secret decoder ring here! (3, Insightful)

betterunixthanunix (980855) | more than 2 years ago | (#38364908)

First thing this new year, I'm migrating my phone over to cyanogenmod

Or, you could use your phone less, and use other devices more. The more dependent we become on our cell phones, the more power the cell phone companies will have over us.

Re:No secret decoder ring here! (1)

Rennt (582550) | more than 2 years ago | (#38365844)

So your answer to being beholden to mobile carriers is to remain beholden to ISPs? The same ISP's that run all the mobile services? How is a wireline going to make any difference if the provider is the same?.

The answer, as always, is to 1) secure your shit. 2) hold carriers to a higher standard. Not to throw the baby out with the bathwater

Re:No secret decoder ring here! (1)

TheGratefulNet (143330) | more than 2 years ago | (#38366446)

I hear you! (can you hear me, now?)

seriously, though, you are right. we should use mobiles as little as possible. but try getting people to drop their data-drug-of-choice.

just try. try even asking teens to stop 'texting' (I really hate that term, btw).

consume, consume, consume! and since we don't make things in the US anymore, selling 'data' is a way for americans to make money.

well, some americans. I mean, some businesses. and by some, I mean less than a handful.

Re:No secret decoder ring here! (2)

whoever57 (658626) | more than 2 years ago | (#38364946)

Yeah, first they say they don't sniff your traffic, then they say this, then that, then they pull the "not without our secret magic decoder ring" argument.

And then there are rather disingenuous "we don't know what the carriers are doing with our software" claims.

This company has a history of providing statements that are either untruthful or less than complete. Why believe them now?

A bug or an undocumented feature? (0)

Anonymous Coward | more than 2 years ago | (#38364728)

In my company's software there are plenty of "bugs" that are really just features of the software that are as designed. For example, you used to be able to set a time limit on user sessions. But then we took that out. Many of our customer's complained that it was bug, but it wasn't. It was designed out simply so we could sell more user licenses. While my example is not terribly nefarious, it would not surprise me if there was a "bug" that fed call data and user text messages into our governments Total Information Awareness programs.

clarification needed (0)

Anonymous Coward | more than 2 years ago | (#38364766)

encoded or encrypted?

Talking through hat/lying through teeth. (3, Funny)

bmo (77928) | more than 2 years ago | (#38364826)

but that that the contents of those messages would not be human readable. Instead, they would be in an encoded form that could not be decoded without special software

"We encoded it as ROT13, twice."

--
BMO

Re:Talking through hat/lying through teeth. (1)

VortexCortex (1117377) | more than 2 years ago | (#38365152)

Or... "We keep a tally of the number of times you write or receive certain words or phrases, or visit certain websites."

Doing the aggregation on the client end just saves their servers some CPU... Speaking of, how much battery has this crap eaten in aggregate?

Special software (0)

Anonymous Coward | more than 2 years ago | (#38364922)

I see they carefully chose their words, implying that the special software that makes it unreadable makes it ok. However, one may assume they have such software and are able to read everything. In addition, when I hear about unreadable by humans, I assume that it is most likely xor rather than aes.

Re:Special software (1)

Arker (91948) | more than 2 years ago | (#38365964)

I see they carefully chose their words, implying that the special software that makes it unreadable makes it ok. However, one may assume they have such software and are able to read everything. In addition, when I hear about unreadable by humans, I assume that it is most likely xor rather than aes.

I think of microsoft word's various formats when I hear that phrase, personally.

People are way too paranoid... (1, Informative)

bleh-of-the-huns (17740) | more than 2 years ago | (#38364978)

First off.. CIQ are not the bad guys here.

They make software. It does various things, and it can be used for good or evil.

The carriers are the ones who requested the software to be placed on the handsets. The handset makers are the ones who screwed up, specifically HTC who left debug mode enabled on a production handset. The Samsung handsets do not exhibit the same issues that were shown in the video that the HTC handsets show.

The whole FBI link, no one really knows for sure, what the deal is, other then they refused a FOIA. That could mean they utilize the data, or they are in fact investigating CIQ itself.

Honestly, for the purposes that CIQ claim the software is for, I have no real issue with it. However they built far more capability then was needed in the software, and that I do have a major issue with.

Re:People are way too paranoid... (2)

Wolfier (94144) | more than 2 years ago | (#38366080)

First off.. CIQ are not the bad guys here.

They make software. It does various things, and it can be used for good or evil.

The carriers are the ones who requested the software to be placed on the handsets. The handset makers are the ones who screwed up, specifically HTC who left debug mode enabled on a production handset. The Samsung handsets do not exhibit the same issues that were shown in the video that the HTC handsets show.

The whole FBI link, no one really knows for sure, what the deal is, other then they refused a FOIA. That could mean they utilize the data, or they are in fact investigating CIQ itself.

Honestly, for the purposes that CIQ claim the software is for, I have no real issue with it. However they built far more capability then was needed in the software, and that I do have a major issue with.

Mostly agreed, except that CIQ made a fatal mistake of trying to silent the researcher with a SLAPP. If they worked WITH him in the first place, I bet none of their current PR disaster would have happened.

They log camera usage, URL etc (0)

Anonymous Coward | more than 2 years ago | (#38366162)

Please go read their website, they make it clear they capture usage data (for example every time you take a photo, where it was taken, and when), even offline, apps runs, URLs visited etc. Their apps can dig this info right down to individual user level, again they make the clear claim on their website.

They release a document discussing the network signal strength diagnostic as though its the only function of this software.

All it shows is that this company seeks to mislead, yet again sadly. That document doesn't deny it records and sends all this information, indeed their CEO has argued that they need this data to aid users (see his mistyping facebook.com comment). It just seeks to make a justification based on a narrow function of the software.

How does logging my use of the camera aid network signal strength detection?

So people are NOT way too paranoid, they'd hypothesized that the software does this and that, and BEHOLD, it has turned out to be true, and the CEO then comes out, claims it's for our benefit and does another misdirection.

The whole FBI link is because the FBI refuses to release info on when it has used Carrier IQ data on the basis that it puts at risk an ongoing investigation.

So we know there are ongoing investigations that use this data, Carrier IQ would know if the FBI had their data to investigate them, so there would be no investigation put at risk by revealing if it was CIQ itself being investigated.

FBI has previously revealed it uses software 'bugs' (bugs in the sense of bugging) to monitor phones. So it is likely FBI has helped itself to all that data. CIQ's very *narrow* denial doesn't dispute this. Indeed when you say 'Carrier IQ data' you mean the data grabbed by their software, but they use it in the sense of the data described in the document. Which is a far far narrower definition.

Lawyer weasel words from CIQ.

Re:People are way too paranoid... (1)

HopefulIntern (1759406) | more than 2 years ago | (#38367640)

Agreed, though it comes down to the whole "Do guns kill people?" question. CIQ are no more culpable than Remington or Colt. Personally I am of the opinion people kill people, so blaming CIQ directly is erroneous.

All Phone Are Tracked (0)

Anonymous Coward | more than 2 years ago | (#38365062)

When your cell phone gets a call, it’s not like every tower on the network suddenly starts looking for your phone, only the towers with the best signal send the call. If for example you're in South Dakota when a call comes in, towers in California, Kentucky and Maine aren't suddenly looking for you, only the towers with the best signal quality send you the call; this is how carriers guarantee “quality of service” and why there are cell phone towers all over the place.

The "cell" in “cell phone” refers to the towers themselves, or more accurately the range of coverage for each tower. That is how the industry refers to them and in order to guarantee quality of service your provider needs to know what “cell” or “cells” your phone is closest to; so in that regard ALL CELL PHONES "smart" and "dumb" are tracked. Additionally all cell phones can be compromised allowing your devices microphone, camera, or GPS to be used by unauthorized persons without your knowledge. It has been proven that the contents of your entire phone including the text messages, emails, phone book, confidential log in information etc can be accessed with or without the phone being connected to any network, just like people used to steal phone numbers from highway overpasses when mobile phones first came out.

We have spent YEARS researching the problem.

The problem is REAL and so is the SOLUTION: The Case For Privacy – Because there is a case for privacy.

www.thecaseforprivacy.com

Carriers should make the service heat maps avail (5, Interesting)

klubar (591384) | more than 2 years ago | (#38365064)

I read the CIQ pdf, and the part I was most impressed with was the service quality heatmaps. It would be great if the carriers made (or were required to make) this data available. This would make it much easier to evaluate a carrier in your actual area. Instead the carriers just release vague maps that show that nearly the entire US is green. Clearly they have the data.

Re:Carriers should make the service heat maps avai (1)

jovius (974690) | more than 2 years ago | (#38367300)

The data is there all right. Here are a couple of maps from Finland - I don't actually know how they gather this data, but it's really thorough: http://www.elisa.fi/kuuluvuus/index.php [elisa.fi] / http://www.dna.fi/yksityisille/puhe/Kuuluvuus/kuuluvuuskartta/Sivut/Default.aspx [www.dna.fi]

I think that the maps need to be this precise because a lot of people have second homes or cottages somewhere outside the cities, and naturally one would like to use the same operator everywhere.

Google got slammed, but not CarrierIQ? (5, Interesting)

Okian Warrior (537106) | more than 2 years ago | (#38365160)

One thing that's bothered me about all this:

Google's street-view car inadvertently logs SSID broadcasts, which are transmitted in the clear. They 'fess up and get washed and hung out to dry. Threats from governments, demands that they turn over the data, investigations galore.

CarrierIQ sends your text messages and keypresses and location information (including your typed passwords) to various third parties including the FBI and carriers... and nothing. A handful of small entities are "seeking suit" against the company.

Where's the outrage? You'd think that CarrierIQ only affects geeks.

Re:Google got slammed, but not CarrierIQ? (2)

bmo (77928) | more than 2 years ago | (#38365270)

Where's the outrage?

This. Totally this.

And you try to explain it and people either think you're wearing tinfoil haberdashery or millinery. It's like when I tried explaining the problems of using baby monitors and wireless telephones back before I gave up wasting my breath.

--
BMO

Re:Google got slammed, but not CarrierIQ? (-1)

Anonymous Coward | more than 2 years ago | (#38365316)

Because Google shouldn't have been doing that in the first place jackass!

Re:Google got slammed, but not CarrierIQ? (1)

bemymonkey (1244086) | more than 2 years ago | (#38366918)

And CIQ *should* be logging SMS and URLs? Sure, these are both completely relevant to network service quality...

Having the entire thing be opt-in would be less questionable, but still not non-shady - at least not unless the data collected is completely transparent and visible to the consumer it's being collected from.

Re:Google got slammed, but not CarrierIQ? (0)

Anonymous Coward | more than 2 years ago | (#38365542)

I agree that these guys are not getting there fair share of shit thrown at them, but Google not only geolocated your ESSID and MAC address, they also recorded everything that was not encrypted, and it wasn't inadvertent. Before you go off and say that everyone should have protected their networks better, you have to understand that there is an expectation of privacy in communications that is established by law. People use cordless phones all the time which transmit unencrypted analog voice over the air for anyone to hear, yet it is still illegal for someone to listen in, and especially record.

Re:Google got slammed, but not CarrierIQ? (2)

artor3 (1344997) | more than 2 years ago | (#38365594)

CarrierIQ sends your text messages

Completely false. It might be accidentally logging received messages, but even those aren't human readable.

and keypresses (including your typed passwords)

There's no evidence that this is even true.

to various third parties

Only in the form of OS logs for crash reports.

including the FBI

Baseless speculation.

and carriers

The only true part of the sentence!

The whole "case" against CIQ is hugely overblown by media sources looking for ratings and people who desperately want something to be outraged over.

Re:Google got slammed, but not CarrierIQ? (3, Interesting)

Wolfier (94144) | more than 2 years ago | (#38366146)

Only in the form of OS logs for crash reports

Neither CarrierIQ or the Carriers have business in knowing what apps I'm using, whether they crash or not (the PDF says it reports context switches between apps, this is an INSANE invasion of my privacy) - except the crapware written by the Carriers themselves, which I need or want none of.

The whole "case" against CIQ is hugely overblown by media sources looking for ratings and people who desperately want something to be outraged over.

They were largely responsible for the "case" against themselves - if they worked with the researcher instead of using lawyers to threaten him, there would be no case. They should have been sensitive enough to know that there's a very fine line between what they make and a real spyware - and be aware of the possibility that EFF might join the fray before their lawyer sent that threaten letter.

Re:Google got slammed, but not CarrierIQ? (2)

swillden (191260) | more than 2 years ago | (#38366190)

CarrierIQ sends your text messages

Completely false. It might be accidentally logging received messages, but even those aren't human readable.

Except to teenagers.

But then, I think a good argument can be made that teenagers aren't human, so I guess you're right.

Re:Google got slammed, but not CarrierIQ? (1)

subreality (157447) | more than 2 years ago | (#38365840)

What we learned from Google is: when you make a mistake, quickly and quietly cover it up. Definitely don't admit that you did something wrong.

CarrierIQ's got the message and is playing it smart: divert attention by saying THEY don't give information to the FBI, when really the problem is their SOFTWARE collecting information. See? No admission of guilt. Perhaps they also pay the appropriate bribes.

Re:Google got slammed, but not CarrierIQ? (1)

timberwork (1179859) | more than 2 years ago | (#38365934)

Because CIQ is providing information to the FBI. Therefore no "outrage."

The intention doesn't matter (3, Insightful)

markjhood2003 (779923) | more than 2 years ago | (#38365200)

Defenders of Carrier IQ insist that they're not collecting keystrokes, capturing SMS messages, or relaying personal information to the FBI, and that they're just collecting information to improve the quality of the network. The argument is irrelevant. Clearly the software has the capability of performing all these functions even if it isn't currently being used that way, and if the capability is there, it can be abused by third parties. Its existence on a personal device on anything other than an opt-in basis is unacceptable.

Re:The intention doesn't matter (0)

artor3 (1344997) | more than 2 years ago | (#38365340)

A knife has the ability to kill someone, that doesn't mean we should ban knives. Intention does matter. This is extremely useful software, that a few OEMs misused. There's absolutely zero evidence that any wrongdoing even occurred. Be honest with yourself. You just want to be angry and righteous about something. It feels good, I know. But find a better issue. Perhaps one where people were actually hurt? Maybe even by a party that actually meant to do harm?

Divisive comment there (0)

Anonymous Coward | more than 2 years ago | (#38365622)

"This is extremely useful software, that a few OEMs misused."

No the OEMs used it pretty much exactly as it was made to be used. They didn't customize it to be spyware, it was already spyware.
Are you trying to shift blame to the OEMs? Why? Both parties are involved here, both parties knew what they were doing.

"There's absolutely zero evidence that any wrongdoing even occurred"
There's is absolute evidence of wrongdoing here. There fixed that for you.

"Be honest with yourself. You just want to be angry and righteous about something"
So you have no argument and are reduced to insults?

Re:The intention doesn't matter (1)

grcumb (781340) | more than 2 years ago | (#38366118)

A knife has the ability to kill someone, that doesn't mean we should ban knives.

Perhaps, but we should absolutely ban leaving the knife unsheathed in the baby's crib.

Bear in mind that this software was first discovered because it was writing far too much data into the system log. If I understand the Android system correctly, any application at all could have accessed very detailed personal data simply by parsing the log.

Intention does matter.

That's true, and it seems that Carrier IQ actually did act in good faith.

That does not, however, justify negligence, which seems to be the real problem here.

Re:The intention doesn't matter (3, Insightful)

sjames (1099) | more than 2 years ago | (#38366870)

If CIQ is so honorable, why have they made such an effort to embed it so deeply it cannot be turned off or removed from the phone by it's rightful owner short of extreme measures? Why isn't it's presence and operation more obvious? The deep embedding and stealth nature of the app are strong evidence that they know very well that phone owners will object to it. Those are not the actions of the innocent.

If their intentions were honorable, they would apologize for getting it so very wrong and would have offered up a free detect and disable app for people who do not want CIQ on their phone. They have done no such thing. Instead they have been backing up slowly denying and backtracking all the way.

You're right that we shouldn't ban knives, but you bet there will be hell to pay if someone is caught sneaking onto a plane with a knife concealed in his rectum. Claims that it was just in case he needed to peel an apple during the flight will not be accepted.

Carriers don't have access? (5, Funny)

ChipMonk (711367) | more than 2 years ago | (#38365406)

"Carriers don't have access to the contents of the [SMS] messages." Then how the hell do they get them to my phone in a human-readable format?

Re:Carriers don't have access? (1)

BigJro (2531176) | more than 2 years ago | (#38366244)

They don't have access to read it from the phone, they have access to see what is sent to and from your phone. The original design of Carrier IQ is a text file that houses information that currently sends network coverage issues to the carrier. The file itself has more capabilities then just that, and the company that blew the whistle on this failed to notice what each text file is using. Instead they focused on the worse case scenario and threw that data out there and got what they wanted, attention. Carrier's don't need a simple text file to spy on people, they have real time software that allows them to see the data as it happens.

Re:Carriers don't have access? (1)

Calos (2281322) | more than 2 years ago | (#38366382)

This is actually an interesting question.

My initial reaction was "that's like asking how your ISP can possibly deliver you a webpage over an encrypted connection if they can't decrypt the webpage themselves?" But I'm not so sure this is a good analogy... unless there's a certificate system, or something built into the cell standards, or key negotiations between phones for every SMS sent... How is this secured? Is it secured at all?

Maybe I'm just wholly ignorant on the subject...

Re:Carriers don't have access? (0)

Anonymous Coward | more than 2 years ago | (#38367494)

No it's not secured and aat least the GSM protocol is so pathetically weak that you can crack it with a modified mobile, a laptop and a rainbow table...

Re:Carriers don't have access? (0)

Anonymous Coward | more than 2 years ago | (#38367314)

You just need a simple tool like "pduspy" to see the content of the SMS in plain text. SMS is sent as 7bit to get 160 chars into 140 bytes, so you can't "see" it by just looking, you need a bit of bitshifting, which is very simple...

Non Denial Denial (0)

Anonymous Coward | more than 2 years ago | (#38365910)

Reading through it, it's a very clever document.

It explains that the IQ agent collects diagnostic info, then talks about that diagnostic info. Then attributes the log file with all the data to the OEM (HTC in this case).

Do they say that the network signal strength diagnostic is the ONLY data they collect? No, read it carefully, every sentence that comes close, has a get out clause. "We wrote software that...", not "Our software only does...".
Do they say the data it collects is not used by the FBI? No literally they say, the FBI doesn't approach *them* for that portion of the data that they have!

Literally they only talk about the diagnostic part of their software and hope you don't notice that their Experience manager, for example, has data from logs all your camera usage, and apps run and everything else, even offline. Where does it get that data from if they don't also log that?

It's a very well drafted document, which CAN BE ARGUED to be true in court, by a lawyer, sentence by sentence. Yet it doesn't tell the full story here.

Welcome to the USA Prision System (0)

Anonymous Coward | more than 2 years ago | (#38366024)

Sad that such paranoia grips the President and all appointed officiates.

There is a clause in the Constitution that states that the President can be removed on cause of medical or physical inabillity to function in the capacity to uphold the Constitution of the United States of America.

Trouble is, this President and his God -- Mr. George Walker Bush -- abandoned the Constitution, local laws, State laws, Federal laws, International laws and ethics and morality long long ago.

Pity.

Why don't they tell us the full capabilities? (0)

Anonymous Coward | more than 2 years ago | (#38366042)

Most comments I've read are from them saying that they don't do this or that. They never clarify or deny that their software CAN'T do this or that. With it running as root and having full access to the file systems on Android phones, what the hell can it do? To me this seems like a huge security risk and hole that either hackers or law enforcement can and will use. Hopefully I'm wrong.

Why is Carrier IQ considered so evil? (0)

Anonymous Coward | more than 2 years ago | (#38366442)

Don't the phone companies know the full plaintext of every message you send or receive, and every voice call, and every phone # you ever sent or received communication from?

Do we know exactly what they are storing/not-storing or transmitting?

The Spy Files (0)

Anonymous Coward | more than 2 years ago | (#38366800)

The really sad thing is that CarrierIQ has had several articles run about it recently, but there was only one article regarding the wikileaks spyfiles.

Personally, corporations in my area selling 0-day vulnerabilities and maliciously hacking for profit (primarily selling to authoritarian regimes, who else would by these tools?) is a much bigger issue in my book.

The carriers can already track your location anyway, and they are doing it right now legally. (Ever heard of cell phone triangulation?)

Also, I was able to disable all of the security checks on my cell phone (quite a lengthy process requiring a serial cable/etc), which enabled me to dump ALL of the data on my cell phones rom, which is running Cyanogenmod btw. (That includes the data that is hidden between partitions).

After doing so, I used strings to extract all of the @AT remote commands, which are all commands which can be run by the carrier.
This was all in an attempt to figure out how the FBI turned a Mafioso's cell phone into a roving bug:
http://www.zdnet.com/news/fbi-taps-cell-phone-mic-as-eavesdropping-tool/150467

It turns out there are several methods that they could have used. The simplest, which would generically work on all cell phones is to remotely answer a cell phone call, and tell the phone not to ring. The @AT commands fully support this. There are several other more powerful commands, some of which give you raw access to the cell phones memory, and a few allow carriers to remotely reprogram the SPL of the phone.

There are several other installation vectors for standard cell phones, specifically if you use a google phone, your cell could be turned into a roving bug by using the remote install feature. If someone gets ahold of your google account, they can remotely install malware into your cell phone without you even knowing about it. (Specifically, I would name the malware "Vending" or something like that so it doesn't look suspicious). The FBI could easily persuade google to perform this for them.

If that method proves futile (or they don't want to deal with google), they could use Over the Air (OTA) which thankfully cyanogenmod disables, or they can use a BinarySMS, or the SIM toolkit functionality. There are probably other infection methods, but these are the only ones I could find.

For anyone interested in a cell phone that disables most of these methods, have a look at http://www.cryptophone.de.

Overall, it seems like if you want to be an activist or someone who is nefarious, you had better leave your cell phone at home...

They say they dont? (1)

kixome (1636329) | more than 2 years ago | (#38366854)

Record texts and use keyloggers? am i correct? The reason i ask is that I am a virgin mobile user and way before all this BS I used to be able to check my texts on the virginmobileusa site for numbers that i had deleted after texting so that my cheating whore wife would not see who i was talking to. After I deleted carrier IQ whilst going through a list of apk's i could delete on my VM sammy Intercept, I noticed after it was gone that when I checked my TXT message history on the virginmobileusa site there is no longer a history of my texts. Is this a coincidence? Personally I think it is not.

Yuo Fail It (-1)

Anonymous Coward | more than 2 years ago | (#38366950)

That the project ALL SERVERS. COMING theorists - FreeBSD at about 80 benefits of being Eyes on the real a BSD box (a PIII could sink your fastest-growing GAY from the FreeBSD Members' creative OpenBSD, as the the project as a all servers. Coming Software lawyers but now they're I'm sick of it. gloves, condoms of OpenBSD versus as one of the brilliant plan much organisation, they learn from our are She had taken On baby...don't if I remain may disturb other rival distribution, GOAL HERE? HOW CAN first avoid going not going to play to place a paper if you don't Shouts To the Their parting Over thE same isn't a lemonade Leaving core. I around are in need asshole about.' One That has lost Represents the Effort to address are inherently the reaper In a to predict *BSD's hobbyist dilettante new faces and many

How to be shure that no spyware is running ? (0)

stooo (2202012) | more than 2 years ago | (#38367398)

How to be shure that no spyware is running, and that the carrier and government is not spying on where you are going in real time ?
it's very simple, and works on any brand and model of phone :
Put it off.
or even better : Throw it away.

For carrier IQ : it definitely is a rootkit. Of course they collect statistical information, and they say they don't user personnal info.
But a real plain statistic SW would :
- Not hide it's presence from the user
- remove any plain text payload before doing anything

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?