Carrier IQ VP: App on millions of phones not a privacy risk More than 48 hours after a software developer posted evidence Carrier IQ monitored the key taps on more than 141 million smartphones, a company official has come forward to rebut the disturbing allegations. And he's provided enough technical detail to convince The Register the diagnostics software doesn't represent a privacy …
Indeed - but you could write an app that used 100% of your desktop's CPU and you wouldn't blame the platform. Android seems reasonable at getting rid of unused stuff, but it's easy enough to write your app in such a way that it won't usually be killed (background services being a prime example) and in such a way that it has a negative effect on battery life (stopping the phone going to low power sleep being another).
I haven't got the CIQ app so I don't know how well it behaves - but these issues aren't inherent to Android or (as far as I know) any other platform.
This post has been deleted by its author
So ?
Now we are told, well in excess of 140,000,000 smart phones have been infected with a Carrier IQ trojan keylogger/spyware virus app!
In addition, it is a known certainty that all Apple Ipones spy on their owners with the very same application.
Or, perhaps the real number of deliberate spy on me company infected smart phones, in use around the world, is in reality closer to the total number of smart phones sold to date?
In other news, Google recently removed 40 very flawed applications available from the Andriod App Store, as it was demonstrated, that they too were carriers of disguised trojans,keyloggers and other malware!
But then again, if Joseph Stalin were alive today, he would have a big smile on his lips, as all the so called freely elected western democracies rapidly adapt his older methods of spying, revised with modern technology to spy on their own citizens! Now tell me, who lost the cold war again?
Is there not a cynical Yankee saying:- "Fool me once, shame on you, fool me twice, shame on me!"
Or another saying goes "Pull the other one, it has bells!"
Just Wow.
It is amazing that some commentators, including the author, would actually take anything that this man has said at face value. Why would I believe the man when he is the one peddling the product..
Unless a completely independant body/person is able to verify his claims, again, it's all just snake oil to me. If his claims are right than the question is why the hell does it need to be preinstalled on the handsets.
This has been going on for over a week now! Carrier IQs first reaction was to send in the dogs and threaten the little guy who found their software with a lawsuit, which they very, very quickly dropped once the EFF got involved. This, in my eyes, tells us all we need to know about CIQ and their software... They used scare tactics and then quickly withdrew them in the hope that TrevE would consider himself lucky and not pursue things further. Something to hide fellas?
Hopefully the damage is done and no amount of attempted limitation is going to put the genie back in the bottle... well, until another, similar company sneaks in the back door and we get to take another spin on the privacy merry-go-round... again!
Thank goodness we've got inquisitive guys like TrevE looking out for us, and, when companies decide to "shoot first", they've got the EFF to back them up.
To me the real questions are:
Why they decided to make this an hidden, unkillable process with no opt-out on Android. This was their biggest mistake of all.
Then why did they try to sue TrevE first thing instead of coming completely clear as they are trying to do now.
Finally when he talks about key combinations or SMSs to call up functions in the Carrier IQ app, what exactly are those functions and can a hacker take control of the Carrier IQ app via them.
In way of farewell maybe ask him what he plans to do in the future, now that his company is dead.
Anytime an Android app writes to the logs, they are literally "logged", written and saved onto a log file. The logcat utility can be used to peek into the contents of the file, and can be used to clear (flush) the contents of the log file. Go read the Android Developer documentation:
http://developer.android.com/guide/developing/debugging/debugging-log.html
No matter how you slice it, all of those debug messages containing valuable, private, and confidential data is "stored" and "saved" in a log file managed by the Android mobile operating system. Programmers should NEVER send debug messages that capture and contain valuable, private, and confidential user data to log files and release the app into production to 150 million users.
I don't like automated processes on anything that I haven't by choice enabled. That its silent, background and hidden, makes me NOT want it on my phone, as much as I don't want bloatware on a PC. No choice means no choice. The crux is that I wouldn't have an issue IF I was asked on a support call, to have turned it on, if I needed to, as long as when the issue was fixed I could turn it back off. I don't GAME with my AV running a full scan. Give me an off switch and I wont complain further. Other people thinking on my behalf feels as ill boding as other people thinking for meat all.
"We do also record the telephone numbers the SMSs are from and to."
Q. Do you think that the telephone numbers of the people that somone communicates with can be sensitive?
"One of the reasons for that is there's a huge amount of radio information that gets transmitted."
Q. Does this include data which could be used to track the user's location - for example the times and identities of the base stations the phone has been talking to, maybe the signal strength too?
"There are a sequence of key codes that can be typed by the user that cause the software to do things in the control center."
Q. What is the sequence of key codes that will turn the bloody thing off.
I know they might've meant well
I hate to constantly think bad about everyone who deals with any private data
But
Seems to me like Carrier IQ + Telcos need to be smacked upside the head. HARD!
The more times people are in an uproar - even (or perhaps preferably) one totally out of proportion - the more chances people who work in the same field have at understanding that people are paranoid bastards who do not like anyone secretely snooping around in their data.
Openly snooping is however fine (see: Facebook). It all really boils down to being able to perform a somewhat informed choice.
And yes I realise that this is a horribly consequentialist reason for punishing someone, but as we're dealing with companies, it's really the only thing that can have effect!
It's like the one with tracking your mobe through a shopping centre... just because it is technically possible doesn't automatically mean it should be done; and certainly in the case of end-user privacy (a concept which has taken quite a beating recently), any sort of consent needs to be explicit and not buried within Terms & Conditions.
"The reason the SMS contents and key taps are monitored at all is so they can be used to invoke Carrier IQ programming interfaces". Bloody hell.
Given that invoking the CIQ API must have a non-zero cost of cpu time and memory space, that because this is a non-public diagnostic tool the error checking will probably be pitiful, can we look forward to a spate of Android DOS attacks invoked purely by spamming a text message? I think we can.
It's like the one with tracking your mobe through a shopping centre... just because it is technically possible doesn't automatically mean it should be done; and certainly in the case of end-user privacy (a concept which has taken quite a beating recently), any sort of consent needs to be explicit and not buried within Terms & Conditions.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
