back to article Carrier IQ VP: App on millions of phones not a privacy risk

More than 48 hours after a software developer posted evidence Carrier IQ monitored the key taps on more than 141 million smartphones, a company official has come forward to rebut the disturbing allegations. And he's provided enough technical detail to convince The Register the diagnostics software doesn't represent a privacy …

COMMENTS

This topic is closed for new posts.
  1. zen1

    Is it just me?

    Or is this guy so full of shit that it's spewing out of his ears?

    1. Piro Silver badge

      Yes, pretty much

      Even if what he said was true to any degree - it's still another layer of bullshit software monitoring almost every event, which will add latency and load to the phone, even if it is only minute.

      It's wholly unnecessary. If it was to measure quality of service, it wouldn't need to log any SMS or button presses. It could simply log location based on triangulation of GSM towers, and the strength from those towers. Maybe it could log an event where a call gets dropped without pressing the end call button, then your approximate location based on the GSM tower triangulation.

      That's about all I can think would be reasonable, at most. Why it needs to receive information about everything else I don't know. I still wouldn't want it, but at least it would be defensible.

      1. Destroy All Monsters Silver badge
        Holmes

        "It's wholly unnecessary."

        And that's why software configuration management and runtime configuration exists.

        Maybe Verizon et al. haven't yet fully gotten arround to that.

        Reg: "His version of the software has been confirmed by Dan Rosenberg, an Android security researcher who has reverse engineered Carrier IQ and examined the underlying machine language."

        The World And His Dog needs an interview with that guy, too.

        CarrierIQ: "To prove that's the case, we've brought in security consultants to take a look at our code and take a look at what we're doing and validate it."

        That sounds pretty legit to me.

        Yes, CarrierIQ needs to talk smooth, but that's understandable -- they suddenly have to deal with bored senators, a busybody FTC, four lawsuits, bad press, irate progressives demanding "ANSWERS, MAN" and people who think capturing a keycode is spying?

        (Meanwhile, didcha know that the US senate okayed military detention of Americans without charges or a trial, even if snapped up on a random street of the homeland? Is it in the news?)

        1. Drew V.

          @DAM

          It's entirely possible for the senate to be wrong about detention and right about phone snooping. The detention debate is irrationally distorted by the hysteria of the War on Terror.

      2. Lance 3

        @Piro

        What about call failures when there is 5 bars? You can have full strength and still have a call failure, garbled voice, etc. You can even have a call setup failure; this no end call button pressed.

        Take an Android phone, Google has all your info, it logs every AP and the MAC address it has and reported it to Google. My AP's are known by Google and yet never has an Android device been connected to them.

        1. Anonymous Coward
          Anonymous Coward

          @Lance 3

          But why slow down every phone and create a possible security risk to hunt down rare occurrence that no one has even reported? Why not wait till a user has a problem, as them to put some diagnostic software on their phone and, when the problem is found, get them to remove the software?

          We have:

          - Software that the provider claims is safe, but we only have his word on it.

          - If the software is safe at the moment, who is to say it won't have more ominous uses later.

          - And, what is to stop someone hooking the calls in this software, so their own code does not show any intercepting code?

          All still a bit nasty sounding to me

          1. Tom 13

            Because the real glitches that

            are problematic to solve are the intermittent ones. Ones where the software has to be installed before the event happens, captures the data, and delivers it to the troubleshooters when a good connection is available.

            That doesn't mean it doesn't comes without security risks. I'm in the camp that says users should be appraised of those risks and allowed to decide whether or not to provide the info.

          2. I. Aproveofitspendingonspecificprojects
            Pint

            Doh!

            Or have the programme switch on and off-able.

  2. Anonymous Coward
    Anonymous Coward

    Downplayed too hard

    The fact that they are logging *ANY* of this information is a security risk. What prevents any other application on the device from reading the log?

    Also, has their "SMS API" been audited to be sure it's secure?

    The truth lies in the middle ground between the security research industry's perfectly-valid fears, and the company's adamant denials. Ignorance of the law is not a defense. CarrierIQ did a lot of things wrong.

    1. Gordon 10

      Actually in fairness

      Ciq have done very little wrong.

      It's the carriers and vendors who have installed it on the phones without clearly asking for an opt in who are to blame.

      To use the analogy of the fishing net again - what would bothers me is if the size of the holes in the net can be updated dynamically over the air thus turning minor monitoring into major.

    2. Voland's right hand Silver badge
      Devil

      Why just the SMS Api

      If they are listening on nearly every Android "Intent" there may be other choices besides SMS to make this application do things that were not intended by its creator.

    3. Lance 3

      @AC 02:19

      "What prevents any other application on the device from reading the log?"

      What prevents another app from doing the same or worse than what CIQ is doing? The "log" you speak of would have less information that the source of that information, the handset itself. As for what keys were pressed, if the software that could read CIQ logs were installed, it could be a keylogger itself.

      What did CIQ do wrong?

      1) They didn't install the app, the carrier did

      2) The carrier asked CIQ for this app

      3) The servers are controlled by carrier

      4) The carriers already save the SMS messages anyway

      5) It it not a keylogger

      1. Alex.Red
        WTF?

        It *is* a keylogger!

        And it is called Keytracer (+IQ Agent Service) on my SGS II from Sprint

        Also, if you check the video then you will see that keylogger logs *all* key presses all the time.

        Could you tell me why the CIQ application logs my keys? You do know that Verizon does not preinstall the application, right?

        Following your logic HP, Dell and others should install keyloggers on each and every Windows 7 machine that they produce in order:

        - to deliver better service when something is not working, so their support center can know right off the bat what is going on;

        - to monitor what applications people prefer so manufacturers can create better user experience by preinstalling them;

        - to monitor your location in order to give you region specific offers;

        - etc.

        In US it is called *wiretapping*.

        1. Tom 13

          If we accept your definitions, then MS DOES have keyloggers installed

          in their product. And they can send that information back to base whenever MS program it too.

          Now, in the case of MS, the programming interrupts the send to request your permission, which makes it legal. It may be legal for the carriers as well. The permission may be buried in the legaleese most of us breeze through when we sign the contracts.

          The issue I see for the phones is that for all the holes in MS software, they are better separated than the stuff on our phones, which makes this a bigger security threat, even if it is intended as a purely diagnostic tool.

      2. Anonymous Coward
        Anonymous Coward

        They are still intercepting communication the user reasonably expects to be secure.

        The Android permission model protects the device from these kinds of privacy invasions in a normal scenario. This application not only bypasses that, but also logs the data in an insecure manner so ANY APP CAN READ IT. Not good practice, because now, even if CarrierIQ is telling the truth and they are behaving in a trustworthy manner with our data, they have just exposed the device to the point where anyone else can see what they saw.

      3. Anonymous Coward
        Anonymous Coward

        @Lance 3

        Yeah and Phorm was just supposed to gather some vague info for some basic advertising, ensuring the user knew about it!

        Stop believing the shite these corps spew you muppet!

  3. Richard Boyce
    Big Brother

    Remote control

    We're told that Carrier IQ acts upon messages from outside. It's be interesting to know what sort of instructions it can be given and whether this backdoor could be exploited by someone hostile. Criminals and governments would love to gain control of a built-in rootkit. I can see people wanting to install software firewalls in phones as we've seen with PCs.

  4. Eddy Ito

    "My point is that the software was never designed to gather and transmit that text."

    Didn't Google say something similar when they were going about slurping as much wi-fi data as they could on their streetview rounds?

    Oh, at 200 KB per day, he's talking about 6 MB per month which I have paid for and am not getting which doesn't make a hill of beans on an unlimited (read 2 GB in the US) plan but given I'm a miser and only flip for 50 or 200 MB it's a rather onerous chunk.

    1. Destroy All Monsters Silver badge
      Holmes

      "6 MB per month which I have paid for"

      So did you notice anything unusual on yer phone bill, old chap?

      Maybe these chunks are marked "not billable" in the billing system, who knows.

    2. Lord Elpuss Silver badge

      +1 on your first point, but as regards the second I seriously doubt the operator would include CIQ's 6MB in your monthly quota. That would be asking for trouble. More likely the CIQ data is tagged and separated from your account as quickly as possible.

  5. James 47

    Hmmm, ok

    1) Does Carrier IQ use native APIs to get such privileged access or are special APIs mandated by operators so that CIQ can work?

    2) If 1 is the latter, can malicious apps access these APIs too?

    3) The CIQ exe probably runs at the highest privilege level. Is the app well written? Can a malicious app exploit it?

    1. trashbat

      RE: APIs

      On Android, none of what's described requires privileged access; it's all standard APIs that market apps can request. The difference of course is that normally you have to opt-in, i.e. at the point where you choose to download an app, you're presented with the permissions and have to approve them.

    2. Alex.Red
      Alien

      A malicious app could read the log

      Collected by CIQ keylogger.

  6. Anonymous Coward
    Anonymous Coward

    The soap is on!

    Chapter one: Who gets the scapegoat ?

    So these carrieriq guys are pointing at the operators ("the data is commissioned by the operators"). This is backed up by at least one Operator; looking back at the previous article 'Sprint' basically confirmed the whole thing: "Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service.".

    Quite frankly I think they're telling the truth. Its already a given fact that operators will do anything to 'force' customers to stay with them, think about locked down cellphones for example. So within that context I tend to give these guys the credit of the doubt, even though I strongly spoke against it in an earlier thread.

    Unfortunately we can't be sure for now. Its a proven fact that privacy sensitive data leaves the phone; but where its going is a mystery so far. My bets are on the operators, but for all we know this could be a ruse....

  7. GSLEON3
    WTF?

    Conveniently omitted???

    Sorry, but I have to say bullocks as they say across the pond. The data sent to carriers is much more than just radio and device performance information.

    I have researched and had confirmed by a source at AT&T that they get info on app usage including ALL side-loaded applications, use it to determine who uses tethering (and if that's anonymous, how are they targeting those that tether for the warning emails & letters?), they also get information on the ads you view & how you respond to each ad.

    So, how did they convince you? Did you look at any of the code yourself? Are you just taking the word of a Coward? (sorry couldn't resist that grapefruit hanging there in the air.)

    1. LarsG

      Its

      Bollocks you mean.

      1. Mike Flugennock

        Bollocks vs. Bullocks

        Thanks, on behalf of some of us across the pond who don't know the difference. To clarify for my fellow Yanks: "Bollocks" is British for "bullshit", or "horse hockey"; "Bullocks" is a reference to a skinny overrated movie actress.

        1. Anonymous Coward
          Anonymous Coward

          So very wrong ...

          ... on both counts.

          As a Bertrand Russell once said: ‘It is a misfortune for Anglo-American friendship that the two countries are supposed to have a common language’.

    2. Old Tom
      FAIL

      Omitted? You must have skipped that bit

      "I have researched and had confirmed by a source at AT&T that they get info on app usage ..."

      So you didn't read the bit where he said "We have others . . . where they get an upload once a day that will contain information about what applications you've been using."

    3. Destroy All Monsters Silver badge
      Headmaster

      > I have researched and had confirmed by a source at AT&T

      Pics or it didn't happen.

      Also, you may want to take your questions up with AT&T and Verizon, as these are really the interested parties.

    4. Anonymous Coward
      Anonymous Coward

      You show us

      Please show us. So far we've seen a video of a dev reading a log file over USB. That's it. All this hoo har, all these accusations - dragging down Carrier IQs rep. And no one has provided any proof yet that the data is really being sent off anywhere.

      The data being TEMPORARILY logged is no different from the data in your regular sms inbox, sent items, browser cache etc.

  8. Shades

    48 hours El Reg?

    This has been going on for over a week now! Carrier IQs first reaction was to send in the dogs and threaten the little guy who found their software with a lawsuit, which they very, very quickly dropped once the EFF got involved. This, in my eyes, tells us all we need to know about CIQ and their software... They used scare tactics and then quickly withdrew them in the hope that TrevE would consider himself lucky and not pursue things further. Something to hide fellas?

    Hopefully the damage is done and no amount of attempted limitation is going to put the genie back in the bottle... well, until another, similar company sneaks in the back door and we get to take another spin on the privacy merry-go-round... again!

    Thank goodness we've got inquisitive guys like TrevE looking out for us, and, when companies decide to "shoot first", they've got the EFF to back them up.

    (Apologies if the is reposted El Reg, something odd happened and it didn't appear as "submitted" in my "My Posts" page... actually, looking at it my last few comments haven't?)

    1. Gordon 10

      Lets not canonise

      TrevE just yet.

      He wasn't looking out for us he was was publicity seeking. He was very disengenuous about that demo and some of the things he said were misleading at best. For example the https stuff was irrelevant but made to be a big deal.

      1. Anonymous Coward
        Stop

        HTTPS

        You mean having your encrypted information broadcast in the clear to a third unknown party will not harm you in the slightest, do you have person walking around with you to the bank who then shouts out your credit card details to all and sundry including your pin?.

        1. Sean Baggaley 1
          Stop

          @L1ma: Except it *wasn't* encrypted, was it?

          The CIQ software is just listening in on the OS' standard event loop—the code that receives all input from the user and parcels it out to the relevant OS functions and any running apps. That latter category happens to include the browser.

          I.e. the CIQ code is intercepting user input *before* the browser code has even received it and had a chance to encrypt it. You can write key loggers for *any* OS with a similar event loop. OS X, Gnome and KDE, Windows—you name it.

          As the software has been specified and agreed to by the operators themselves, there was no need for the app to request the user's permission as that permission was granted when said users bought the phone and agreed to the operator's own terms and conditions. (Read the small print, folks!)

          Apple appear to have been using CIQ primarily as a debugging, performance metrics and instrumenting tool, rather than for the benefit of operators.

          I think the wrath hurled at CIQ has been a little over the top: Many hardware engineers and software developers rely heavily on tools like these. They can really come into their own when performing regression testing: if you know a certain sequence can reliably cause a crash, you can write a simple script for the QA team that replays the exact same input sequences. The team runs this script on future OS builds to see if that bug you thought you'd now killed has stayed dead. Over time, you end up with a hell of a lot of such scripts, which your QA team runs in batches against each and every new build.

          By all accounts, it does genuinely appear to be disabled in iOS 5.

          The fundamental issue here is whether the carriers have been genuinely abusing the software, or whether they're just using it to monitor their network's performance, as is claimed. Whether the users were aware of the application's existence in the first place is utterly irrelevant: they agreed to the operators' T's & C's up-front. The onus is on the end user to read those contract terms and conditions *before* signing on the dotted line.

          It may be 2011, but the golden rule of "Caveat Emptor" still applies.

          If it turns out that the CIQ software _is_ being misused, a hurricane of rage and fury shall be perfectly justified. But until there is solid evidence of this, it's just the usual uninformed media maelstrom of wild, baseless, speculation and tin-hat paranoia.

          1. heystoopid
            Joke

            Joke Alert!

            If this software is supposedly harmless, as you claim it is, why hasn't "Wanker IQ" provided a simple software removal tool to eliminate it, from all rooted smart phones, so infected from day one, when it first went live?

            And the answer is.................................."pull the other one it has bells!"

          2. I. Aproveofitspendingonspecificprojects
            Trollface

            Si emptor curandum. Et emptor curaturum.

            "The fundamental issue here is whether the carriers have been genuinely abusing the software, or whether they're just using it to monitor their network's performance, as is claimed. Whether the users were aware of the application's existence in the first place is utterly irrelevant: they agreed to the operators' T's & C's up-front. The onus is on the end user to read those contract terms and conditions *before* signing on the dotted line.

            It may be 2011, but the golden rule of "Caveat Emptor" still applies."

            Are you a shill?

            Once they realise that there is a problem they will tryto undertand theproblem. And once they understand the problem they will try to solve it. This usually takes the phorm of buying a bigger and better machine.

            It was the making of Windows. I can't see how it can fail for phones.

      2. Alex.Red
        FAIL

        I second L1ma's question about HTTPS

        Could you clarify how it is harmless when all your keys are logged *before* HTTPS encryption takes place?

        Do you understand that those keys are logged into a file that *any* application on the phone can read?

        Do you understand that it is *easy* to parse the log file?

        Do you understand that for the bad guys this is a *very* big Thanksgiving/Christmas/New Year gift?

        Probably, it is time to root my family's phones (Evo 3Gs, Evo 3D and SGS II)

        1. murbul

          Extremely unlikely that any application could read the log file, assuming there even is one. Yes it is logging events, but I don't think there is confirmation it logs to file? Android apps do not have access to other apps' data files unless permission is explicitly given or the device is rooted.

          But yeah it's all a big unknown until the source is provided or somebody completely reverse engineers it.

        2. Anonymous Coward
          Anonymous Coward

          @Alex.Red

          Did you actually read the article?

          They explicitly state that they do not log the key presses or SMS contents to a file. They simply parse them for specific key sequences that tell the software to perform certain actions. A bit like being able to type a key sequence into your phone to get it to display your IMEI number, they can do the same for their software. So they are parsing the key presses, but not logging them. They say this all takes place in RAM.

          Even if *any* application could read the log file, surely if the bad guys have installed software on your phone, them reading this file would be the least of your worries. I'm sure the bad guys would rather just log key presses themselves rather than read a log file that is missing most of the data they would want access to.

          Now whether you believe their assurances that they are not logging keys and SMS messages to files is up to you, but I think their willingness to open their code to independent auditing and the reverse engineering by security researchers that confirms their assertions should give their claims some credence.

          1. Rob
            Go

            Log in the stream?

            From what I've read about this I get the see a lot of people referring to 'logs' or 'logging' but that's not what is essentially happening as per the video. The CIQ app isn't creating that log that was shown in the video, that was the event 'stream' that the phone was producing and the app was keeping an eye on the 'stream' whilst using it's real-time filtering at the same time, when it's sees an event that it needs for analytical purposes it catches it from the stream and saves what it needs into this 200kb file for transmission. So the all of that event stream in the video is what the phone is producing the app is just dipping in to it.

            It's the carriers that need to be taken to task over this not carrier IQ, just because someone makes a gun doesn't mean I have to use it.

    2. Destroy All Monsters Silver badge
      Trollface

      The 99% speak

      > TrevE

      > looking out for us

  9. ~mico

    I wonder...

    Is it also embedded in CyanogenMod? Or is it embedded in a layer above the OS? Because otherwise, this spyware is the sort of reason that may push the majority of users to root & flash their phones.

    1. Gordon 10

      Numerous people

      Have checked and not found it in cyanogen mod. Given that there are so many cyanogen Roms around its not guaranteed but it's fairly unlikely.

      1. Anonymous Coward
        Anonymous Coward

        This bit seems to be giving a lot of people trouble.

        This is a piece of software installed or mandated by the carrier, not the manufacturer.

        If you have an ROM based on android source (like cyanogen) or you get it direct from Google then you do not have this application. Nor will you have it if you buy an unlocked and unbranded phone direct from the manufacturer.

        The application is installed by the carrier (or by the manufacturer at their behest) on carrier branded phones.

        Furthermore this whole shamozzle seems limited to the US.

        I don't think any of the above is any sort of excuse though and your man in the interview here is full of shit.

        He is saying that their application looks at everything and then decides what to record. He also says their application can take instructions from SMS.

        He then says they hand the reigns of this powerful and easy to misuse software over to the carriers; a group of companies not usually noted for their intelligence, probity or ethical behavior....

  10. MooseNC
    FAIL

    Uh huh...

    Looks like someone is getting a kickback!

    Really; the Reg is okay with a company releasing a software that allows the capture of information that is thought to be private?

    WITHOUT the consent or knowledge of the user?!?!??

    Wow... Just... Wow....

    1. Gordon 10

      Consent and consent

      I suspect that most of the carriers have 'consent' buried in their t&c's somewhere. Unlike apple who asked explicitly for consent.

      Bear in mind CIQ provide a service, it's the people that abuse that service should feel our ire.

      1. matt 83
        Joke

        so...

        it's ok to sell child porn so long as you don't film it yourself? It's just a service you're offering.

        1. Basic
          Trollface

          You can take anything to extremes

          And it never helps.

          Stop trolling and drink some beer instead

      2. Alex.Red
        Flame

        Are you saying that CIQ people are stupid?

        You are implying that CIQ people did not understand what kind of application they were writing, right?

        An application that logs *every* keypress *without* owner's consent (watch the video, it is all there) is totally legal as soon as you can sell it, right?

        I understand (but do not agree) when CIA/FBI requests an application that snoops on every keypress.

        But I do not understand when a carrier requests such thing and a company like CIQ *agrees* to write the applicatoin.

        If I was a technical lead on such a project I would of start asking questions why do we write an application like that and what are legal consequences.

  11. Anonymous Coward
    Anonymous Coward

    I can see the need for this, truly I can

    What I'm more worried about is the fac tthat it's pre-installed and that it can be used as an attack point for someone to take the rights that this software has and to extend it further.

    My radio connection to the network is crap enough as it is (Maybe this will help) but do I want some other shmuck to exploit this software and to start doing stuff with it that I have no control over? I didn't agree to their EULA or sign a legal agreement with them in the first place!!

    This seems to me like a way to get into a few million handsets with your eyes closed.

  12. Spud2go

    @~mico

    From Cyanogenmod website, 02-12-2011

    http://www.cyanogenmod.com/blog/cyanogenmod-will-never-have-carrier-iq

  13. Anonymous Coward
    WTF?

    To put it another way.

    Yes Officer, I stole 50,000 ebooks from Amazon, but I didnt look at any of them, so I havent done anything wrong".

    Violating the privacy and data protection laws in (probably), every country in the world, but its ok, they were only following orders.

  14. Brett Weaver
    Thumb Down

    I'm Sorry But..

    Not querying the company about their initial reaction, and the inferences we are allowed to draw from that, means that this is a puff piece.

  15. WonkoTheSane

    Have you got it?

    Try "Voodoo Carrier IQ Detector" from the Android Market.

    (Says no on my Orange Samsunge Galaxy SII)

    1. Zippy the Pinhead
      Thumb Up

      @wonko

      Thanks for the idea about doing a search for Carrier IQ in the Market

      Here's something curious.. I am on a Droid Razr.. and on Verizon in fact.. and I've downloaded 2 different Carrier IQ detector utils and neither have have this rootkit. So I can only assume that it was never installed or Verizon trying to head off a shitstorm of protest has turned it off on my device. Either that or the applications I downloaded from the market do not actually work.

  16. Christian Berger
    Facepalm

    The radio thing doesn't make much sense

    After all, particularly on UMTS/WCDMA you can simply use the data your base-stations hand to you to not only precisely locate the position of the mobile station, but also determine the path loss as well as the impulse response of the path. That's way more than you can find out via talking to the baseband chip.

    In short it demonstrates what is wrong with the industry. The carriers believe that the mobile station is theirs and they can decide what you do with it. This may be legitimate if they give it to you for free or very cheap, however in most cases you still pay the full price, so you should get full access to the device. This also means I should not only get the right to execute any software and the right to not execute software I don't want, but also to have a sensible way of accessing the device, i.e. a shell which is not just a bunch of buttons.

  17. LarsG

    IF IT WAS SO ABOVE BOARD....

    why was it hidden, why say nothing about it until forced to?

    Imagine buying a car and only being told it is fitted with a tracker as standard 10 years after you buy it.

    Very unsavory and very suspicious.

  18. Anonymous Coward
    Anonymous Coward

    read their own words...

    “IQ Insight Experience Manager overcomes the drawbacks of traditional techniques of user testing such as focus groups, where sample size is small and the process is slow. Experience Manager takes customer experience profiling to an advanced level with multiple levels of granularity, from the entire population, to comparative groups, down to individual users– all at the touch of a button,” he continued.

    IQ Insight Experience Manager uses data directly from the mobile device to give a precise view of how the services and the applications are being used, even if the phone is not communicating with the network."

    http://www.carrieriq.com/company/PR.Experience_Manager.CTIA-09.090325.pdf

    that is from a 2009 press release - what appalling, fawning journalism from the Reg... don't believe what they tell you when they're on the defensive, better believe their sales boasts to industry insiders.

    These guys have the ring of arms dealers with the same defences ... 'if we weren't doing it, someone else would' .... 'we just sell the stuff, what our customers do with it is out of our hands' ... 'if you think what we do is bad, just look at what our customers have got on you without our help!'

  19. Will Godfrey Silver badge
    Unhappy

    Don't trust them an inch!

    Everything I hear just makes me more convinced that this is something extremely invasive and prone to abuse that I don't want anywhere near a phone of mine - or anyone else's, for that matter.

    I'm astonished that El Reg sees this any differently.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't trust them an inch!

      An interview with Carrier IQ does not signify trust or approval.

      1. Anonymous Coward
        WTF?

        What about "And he's provided enough technical detail to convince The Register the diagnostics software doesn't represent a privacy threat to handset owners."

        Does that not signify trust and approval?

        1. Mark 65

          Bizarre approval from El Reg, especially after the article contains...

          "But except in rare circumstances, that data is dumped out of a phone's internal memory almost as quickly as it goes in. Only in cases of a phone crash or a dropped call is information transferred to servers under the control of the cellular carrier so engineers can troubleshoot bottlenecks and other glitches on their networks."

          So it's just fine and dandy-o to dump out all those nice key taps and websites (like banking) as long as a fault occurs? Really?

        2. Mike Kamermans
          Happy

          Just because the monitor is unethical, doesn't mean the product is a security or privacy risk, let's be very clear about that.

          If I slap a signal analyser on your keyboard cord, lo and behold I can see exactly what you're typing. That doesn't make the keyboard a privacy threat. Even if I hook it up to a device that looks at data going by in real time, it's not a privacy threat because it doesn't log.

          If it logs, THEN it's a privacy threat, and punitive measure are probably in order. If it doesn't, this is an analytics tool, and any "keylogging" argument is nonsense. I for one look forward to the definitive call based on their source code. If it logs, they will be in a ridiculous amount of trouble. If it doesn't, this was a storm in a teacup.

  20. Anonymous Coward
    Anonymous Coward

    Unacceptable, plain and simple

    This article misses the most important argument against this form of software. It consumes resources on the users handset to perform a service that does not benefit the consumer.

    Then this Coward admits that it can be an efficient spy-tool when he says that it is possible for the software to change it's behaviour based on "proprietary" messages received via SMS. Furthermore, operators and manufacturers have the ability to sneak in additional spying capabilities through software upgrades.

    This kind of software has IMHO no place on a users handset in any shape or form. There is no excuse.

    1. Eddie Edwards

      You don't think the ability for the operator to diagnose user problems benefits the consumer?

  21. clanger9

    What happens when you change the SIM?

    It was claimed elsewhere that CarrierIQ continues to send info back to the carrier even if you unlock the handset and change the SIM to another provider. Is this true?

    It would be nice if you could ask this question directly to CarrierIQ.

  22. stu 4
    Black Helicopters

    filters

    The filters are key to this, and not an area that was investigated really in the interview.

    The fact that they are 'filtered' means FA. filtered for what ? And more importantly - what controls the filter ? is it fixed ? is it controllable by these control SMSes ?

    If, as I imagine it is, an SMS controllable filter, then what's to stop a control SMS saying - for the next 24 hours filter out nothing - upload it all.

    You'd have to be very privacy conscious to NOT design the filter control to be general enough to work like that - that would be the easiest way to code it - i.e. have an 'exclude XYZ || include XYZ' ACL type mechanism.

    So did the IQ bloke lie - no. Was he asked the right questions ? no.

    1. trashbat

      "Filters" explained

      It's not articulated brilliantly by the presumably non-technical chap, but here's what I understand their filtering to mean - as a professional Android developer.

      1. You wish to know when things of particular interest to you have happened; let's say (a) receipt of an SMS that is intended for interpretation by your application, and (b) when a certain key sequence is pressed.

      2. In order to do this, the application subscribes to the relevant system event (broadcast intents on Android). This is a general purpose subscription; in our scenario it is (a) receipt of any SMS, and (b) any key press.

      3. Your application receives the events when they happen and has the responsibility of working out if they are relevant; in this instance, perhaps it is (a) does the SMS begin with some special sequence, and (b) do the recently recorded key presses still form any expected sequence? This is the 'filter' being described.

      4. If it wasn't of interest, you drop the event and do no further processing. If it was, you respond appropriately; for instance hide the SMS from the user and perform its instruction as interpreted by the app logic.

      Now, Carrier IQ have caused some degree of alarm by adding debug logging for all events at step 3, rather than those of relevance.

      Unless you reverse engineer it or at least perform traffic analysis, you will never be sure that the app doesn't have some sleeper mechanism or make use of supposedly irrelevant data. One thing I can say is that if you persisted ALL of these events, you would significantly reduce the phone's responsiveness and eventually run out of storage.

  23. Anonymous Coward
    Anonymous Coward

    Occupy ElReg

    "Biting the hand that feeds IT"?

    No, in this case it's "Licking the wounds of the hand that feeds IT".

    The real questions were not asked. Why?

    1. Destroy All Monsters Silver badge
      Facepalm

      What do you mean "Why"?

      Because the fracking carrier asked us to and forks over money for it?

  24. Anonymous Coward
    WTF?

    Translation

    There is a hidden piece of software that looks at everything the phone does and in realtime decides that it won't do anything with it. Oh and this software can be configured to do something else by receiving an sms that the user will never see and has no way of knowing what the sms changed.

    And somehow this is all ok and you are satisfied there is no risk?

    Ask the important questions please. Why was this software kept secret. Sure the telcos installed it but who the eff did they get it from? IQ cant just say "it's them, not us" when they've had this software installed and running for so long without so much as a peep.

    Decides in realtime does it? So you telling me this has no effect on battery life, responsiveness, cpu load etc at all. Somehow I doubt it..

    You admit the profile of what to send and capture can be changed over the air and that some telcos do receive a list of apps youve installed and used on the phone.

    And this is ok somehow. No problem with having all the apps you use on your phone transmitted. Really now..

    1. Anonymous Coward
      Anonymous Coward

      +1: telco installed spyware rootkit

      This goes way beyond any ISP and propsed DPI infrastructure. They just wanted to know what your HTTP connections were, but your computers were a black box to them, as were HTTPS connections.

      This rootkit -let's give its true name- clearly gives updates on the apps running -so that carriers can stamp down on tethering (I always wondered how they did that -no more need to wonder), find out what users do with their phones etc.

      This has nothing to do with call quality. Even customer diagnostics could be handled with a diagnostics app. No: this is datamining you, the customer, for better marketing and billing. And if you run up extra charges per month in the process, well, all the better.

      Sadly, you can be sure whoever wrote it got their security all wrong and now there is a rootkit in most of the US phones, one controllable from SMS calls, those phones are in trouble.

      All those claims about Malware on Adroind? Not needed. It came preinstalled by the telcos

    2. Drew V.

      Also, if the telcos installed it, why did they install it? What's the incentive? Were they payed off or did someone lean on them, or is there some other potential profit motive?

      Cui Bono?

  25. Anonymous Coward
    Facepalm

    Fishing analogy? or actually phishing?

    What a wasted opportunity to call it like it really is, a "phishing net".

    Very poor show El Reg, your standards were clearly lowered in order to score an apparently exclusive interview with Mr Coward.

  26. Anonymous Coward
    Anonymous Coward

    So many toys thrown out of the pram here, can't get into the room...

    The carriers have all your traffic, calls and call logs anyway, because they "carry" it, and repressive regimes already log everything anyway.

    If they were storing and forwarding to you know who, noone would know, nor could acknowledge it because of its secrecy, and acting on any information gleaned would compromise that secrecy, so your affair with the secretary or whatever nefarious drug deals or tax dodges or hacking you're engaged in are ignored. However, if you're planning a terrorist operation, then someone needs to know, even if any intel gained is inadmissible in court.

    IF a government has honour and integrity to follow this codex, isn't it something that people would want?

    However, what is of concern is if a 3rd party can exploit it.

  27. murbul
    WTF?

    App snooping

    I'm inclined to believe that they don't log keypresses and other sensitive info, but then the guy says this:

    "We have others . . . where they get an upload once a day that will contain information about what applications you've been using."

    This is a massive WTF to me. What right does a carrier have to log this kind of info? Why should they know what apps I run? Surely people would be outraged if their ISP (somehow) maintained a list of every piece of software running on your PC, even if it is only for "diagnostic and performance analysis purposes". I know this information is accessible via the Android API to any app, but for the carrier to silently track and upload this using a hidden pre-installed app that can't easily be removed is a huge breach in my opinion.

    That they admit this and seem to see no problem with it speaks volumes. What else do they upload?

  28. Anonymous Coward
    Anonymous Coward

    They are missing the point.

    If you don't choose to share that information CIQ should not be running at all. Incidentally. I am running an old Cyanogen mod, and it doesn't have CIQ (as far as i can see), when i logcat, i don't see key presses, but when i call, i do see the number dialed, it also logs the sms i receive, including the number. It logs the full https:// requests i make.

    it logs my location every few seconds:

    D/NetworkLocationProvider( 111): onCellLocationChanged [...]

    And a few other things that shouldn't be logged. I could easily write an app that "filters" this information the same way CIQ does.

    I am not satisfied with their response at all. every admin should know that sensitive information should not be logged, especially not on the main system log. It looks to me like untidy programming, they just didn't remove the debug output.

    But i am not convinced that CIQ are the culprit. i think it's actually google developers which are logging this info from deep inside the OS.

    from CIQ's response, i think there is another much more serious vulnerability though, but a hard one to exploit. if you were to have a fake base station, you could send those system update SMS, which will update the Android OS with your custom updates. Am i wrong?

    1. trashbat

      Update SMS

      Having replied to that, I realise you mean something different - the system update notifications that point towards a new ROM to flash. The updates are typically done using a standard (OMA DM), which may or may not involve SMS - you would have to look at that for details, but I'm pretty sure there are security challenges built into it such that a simple spoofed message wouldn't cut it.

    2. trashbat

      Log files, SMS

      Reading system log files requires a system permission, so at least a user would have to opt in to that. NetworkLocationProvider is the Android OS; whether that information should be logged or not is questionable but frankly if you've got on to the phone with the permissions to read it, you're only a baby step away from reading the source information yourself.

      As for the SMS, basically: no. You can't update the Android OS from app land, at least not without root privileges, and even then it would be akin to SQL injection - i.e. could you break CIQ's SMS parser & associated logic so badly that you could use it to execute arbitrary system commands? I'd hope not!

    3. Anonymous Coward
      Anonymous Coward

      if you were to have a fake base station

      You mean the same fake base stations the Police now routinely deploy to intercept/block mobile phone traffic at protests?

    4. trashbat

      Reading system log files requires a system permission, so at least a user would have to opt in to that. NetworkLocationProvider is the Android OS; whether that information should be logged or not is questionable but frankly if you've got on to the phone with the permissions to read it, you're only a baby step away from reading the source information yourself.

      As for the SMS, basically: no. You can't update the Android OS from app land, at least not without root privileges, and even then it would be akin to SQL injection - i.e. could you break CIQ's SMS parser & associated logic so badly that you could use it to execute arbitrary system commands? I'd hope not!

  29. Anonymous Coward
    Anonymous Coward

    Capturning URLs

    According to http://www.wired.com/threatlevel/2011/12/carrier-iq-data-vacuum/ CIQ are seeing URLS and are quite capable of trapping that information:

    "He said that the information is useful for users who call the phone company complaining, for example, that Facebook won’t load.The carrier’s operator, he said, might tell the complaining customer that the reason it won’t load is because the customer is misspelling “Facebook.”

    “They could say, ‘Facebook is spelled F-A-C-E-B-O-O-K,’” he said. “We certainly recognize that as a future thing for advertising, clearly having that information from a marketing perspective is very interesting.”

    Since the company is getting the URLs from the phone, they are able to record encrypted search terms such as https://www.google.com/#hl=en&sugexp=ppwe&cp=3&gs_id=p&xhr=t&q=abortion+clinics. By contrast, your carrier, which sits between you and the internet, would normally only see https://www.google.com/ — for encrypted searches."

    So - Care to re-asses your statement that everything is hunky dory and A-OK with CIQ's application.

    1. Vic

      > By contrast, your carrier, which sits between you and the internet,

      > would normally only see https://www.google.com/ — for encrypted searches

      Not even that.

      SSL is used before any of the GET. Even the FQDN is encrypted. This is why it is essentially impossible[1] to have multiple HTTPS virtual servers on the same IP/port combination.

      Vic.

      [1] Yes, of course there are exceptions when you can get a key signed with wildcards in it. But that doesn't happen in the general case unless you have a *lot* of clout...

  30. bigphil9009

    The idea that this is all there for our benefit just doesn't wash with me. The part where he says that they monitor all key presses so that an operator can ask you to key a certain set of key presses just doesn't sound plausible; how many carriers actually provide that level of service? I just tried this with O2. I called them about having had some dropped calls and they just said to try them again or go to an area if stronger signal. No mention at all of gathering information to send back.

  31. Gil Grissum

    Disturbing

    "Yes, a key logger was put on your new laptop by the manufacturer, and yes they intercept every key stroke, but no, they don't save any logs."

    It all started with them threatening a security researcher when it was found by him that their software was purchased for use by Carriers, does not allow any method for the handset owner to opt out, and logs every keystroke. They only dropped that threat when the EFF got involved. Now they are using the Reg to backpedal and claim innocence and the reg is buying that? Highly suspect to me. Glad I got the iPhone 4S and turned off my HTC EVO 4G. Not selling it on Ebay as planned, as the mere presence of the CIQ analytics software means that someone else can surely glean info from it.

    1. Anonymous Coward
      Anonymous Coward

      Obvious

      Obvious troll is obvious

    2. zen1

      Maybe I'm wrong

      but I thought CIQ was installed on the 4s

    3. Anonymous Coward
      Anonymous Coward

      "...but no, they don't save any logs*"

      * unless directed to by a secret SMS we can send to your phone, to alter the logging behaviour and endpoints, which of course we would never dream of doing, unless asked nicely by certain three-letter-acronymed organisations. But don't worry, if you've nothing to hide, you've nothing to fear... and it doesn't do that by default, so what's all the fuss about anyway?

  32. All names Taken

    At 3 pages...

    Methinks the VP doth protest too much.

  33. spock_it
    Big Brother

    Everybody is a hacker today

    It is not the phone user role to be carrying debugging devices, especially not knowing about them. As users we pay for a finite product. Carriers should do their tests outside production environment. What we see is a scheme, justifying obvious data theft by 'debugging'. We know what debugging is and next to it seats hacking and cracking . The difference is from who is paying for the job. If the the debugging tool is in my pocket and not aware about it this is at least hacking, and definitely not debugging.

  34. heyrick Silver badge
    Stop

    All the comments for and against...

    It's like the one with tracking your mobe through a shopping centre... just because it is technically possible doesn't automatically mean it should be done; and certainly in the case of end-user privacy (a concept which has taken quite a beating recently), any sort of consent needs to be explicit and not buried within Terms & Conditions.

    [Hello? Is posting broken? Is My Posts broken? Third attempt...]

    1. Hud Dunlap
      Coat

      are the posts broken

      Sometimes I wonder. My post saying that the response to Senator Al Franken is the one that matters.

      I thought I left my phone in my coat.

  35. Anonymous Coward
    Anonymous Coward

    I'll take the VP at his word

    At the bottom of the first page of the article he says:

    “What the video is depicting is the application printing out what are known as bugging logs,"

    Not 'de-bugging' logs. I thought it was simply an error on his part, but on reflection, I think he was being honest.

    It is bugging software and there is no excuse for installing it without telling the user up-front before a deal is signed.

  36. Lloyd
    Happy

    Andrew Coward

    It just doesn't get any less funny.

  37. Anonymous Coward
    Anonymous Coward

    A fairly considered article I think

    So its not logging, although it is certainly intercepting keystrokes.

    I find the response OK from a privacy perspective but...

    the fact an app CAN intercept that much data is an issue to me. Regardesll of CarrierIQ's assurance this means that other stealth services could also intercept the device's internal communications and harvest lots of data for less honarble purposes.

    This may not be the bad-guy app but the door is clearly open !

  38. Nick Pettefar

    Secure Communications

    You should never trust telephones for secure communications.

  39. Andy Watt
    FAIL

    Forget security for a moment... a little-discussed angle... power consumption and performance?

    OK, this (possibly) operator-loaded spyware operates "in the RAM space" - but how many cycles is it consuming watching EVERY keypress - spying on the OS event loop - seriously, this thing sounds like it's hooked in like a debugger: you don't run anything compiled for debug on your laptop normally, because it's HUGE in comparison and consumes resources with all the extra work.

    Now take that overhead, and impose it on a limited-resource platform, 100% of the time, with a mandated download period when the stats are sent to the carrier.

    - How much battery life is being wasted?

    - How much did you pay, en masse, for the electricity to collect and send this data?

    - How much of your device's wow factor and smooth, slick UI transitions has been compromised by this crapware?

    The lack of EXPLICIT opt-in (f*** this "operator small print" bollocks) is unforgiveable.

    Oh - and the fella who reckoned this would get "most users" rooting their phones to install CyanogenMod? Forget it. Most "users" will poddle along as usual, blissfully unaware anything is going on, apart from having to charge their phone every sodding day. El Reg is not a repository of "normal people" (meant with the best intentions!)

    1. trashbat

      Performance

      The underlying events like key presses are already produced and dispatched to interested parties by the system (e.g. the keyboard app!), so it's not like you are running a continuous monitoring thread on top of everything else. Obviously nothing comes for free: your processing of the event adds some cycles, but provided it's just logic and not say putting them in a database, it's not anything to write home about. You're right that debug log output adds to this overhead unnecessarily, but again without great penalty.

      In the context of other apps it all adds up, but in terms of that alone, I'd bet that you couldn't tell the difference.

      Probably more of an issue is that the available space and RAM are going to be reduced to accommodate both the app and its constant presence; whatever it maintains in RAM reduces the breadth of usable multitasking, and just having it on the device reduces the available space for third party apps which is often comically low to begin with.

      Data usage is more of a contentious issue; if you are clever, you are opportunistic about when you send traffic - when the phone is already awake & in use, for instance, rather than waking everything up just to do it at a specific time. I would expect the traffic to be zero-rated (not charged) by the operator, but I don't know for sure.

      1. heyrick Silver badge

        Performance?

        I had a little app that stayed resident (Android doesn't seem to like to kill stuff that you're done with) and while doing NOTHING it sucked life out of my battery such that I couldn't manage eight hours of MP3 with radio comms off. It is certainly possible to make something slow and laggy that strangles the hardware, as MotoBlur users may attest...

        1. trashbat

          Not the platform

          Indeed - but you could write an app that used 100% of your desktop's CPU and you wouldn't blame the platform. Android seems reasonable at getting rid of unused stuff, but it's easy enough to write your app in such a way that it won't usually be killed (background services being a prime example) and in such a way that it has a negative effect on battery life (stopping the phone going to low power sleep being another).

          I haven't got the CIQ app so I don't know how well it behaves - but these issues aren't inherent to Android or (as far as I know) any other platform.

      2. This post has been deleted by its author

  40. heystoopid
    Big Brother

    So?

    So ?

    Now we are told, well in excess of 140,000,000 smart phones have been infected with a Carrier IQ trojan keylogger/spyware virus app!

    In addition, it is a known certainty that all Apple Ipones spy on their owners with the very same application.

    Or, perhaps the real number of deliberate spy on me company infected smart phones, in use around the world, is in reality closer to the total number of smart phones sold to date?

    In other news, Google recently removed 40 very flawed applications available from the Andriod App Store, as it was demonstrated, that they too were carriers of disguised trojans,keyloggers and other malware!

    But then again, if Joseph Stalin were alive today, he would have a big smile on his lips, as all the so called freely elected western democracies rapidly adapt his older methods of spying, revised with modern technology to spy on their own citizens! Now tell me, who lost the cold war again?

    Is there not a cynical Yankee saying:- "Fool me once, shame on you, fool me twice, shame on me!"

    Or another saying goes "Pull the other one, it has bells!"

  41. FozzyBear
    Black Helicopters

    Wow

    Just Wow.

    It is amazing that some commentators, including the author, would actually take anything that this man has said at face value. Why would I believe the man when he is the one peddling the product..

    Unless a completely independant body/person is able to verify his claims, again, it's all just snake oil to me. If his claims are right than the question is why the hell does it need to be preinstalled on the handsets.

  42. Shades

    48 hours El Reg?

    This has been going on for over a week now! Carrier IQs first reaction was to send in the dogs and threaten the little guy who found their software with a lawsuit, which they very, very quickly dropped once the EFF got involved. This, in my eyes, tells us all we need to know about CIQ and their software... They used scare tactics and then quickly withdrew them in the hope that TrevE would consider himself lucky and not pursue things further. Something to hide fellas?

    Hopefully the damage is done and no amount of attempted limitation is going to put the genie back in the bottle... well, until another, similar company sneaks in the back door and we get to take another spin on the privacy merry-go-round... again!

    Thank goodness we've got inquisitive guys like TrevE looking out for us, and, when companies decide to "shoot first", they've got the EFF to back them up.

  43. Anonymous Coward
    Big Brother

    Too lenient

    To me the real questions are:

    Why they decided to make this an hidden, unkillable process with no opt-out on Android. This was their biggest mistake of all.

    Then why did they try to sue TrevE first thing instead of coming completely clear as they are trying to do now.

    Finally when he talks about key combinations or SMSs to call up functions in the Carrier IQ app, what exactly are those functions and can a hacker take control of the Carrier IQ app via them.

    In way of farewell maybe ask him what he plans to do in the future, now that his company is dead.

  44. Anonymous Coward
    Anonymous Coward

    "Logs" are stored and saved in the mobile device

    Anytime an Android app writes to the logs, they are literally "logged", written and saved onto a log file. The logcat utility can be used to peek into the contents of the file, and can be used to clear (flush) the contents of the log file. Go read the Android Developer documentation:

    http://developer.android.com/guide/developing/debugging/debugging-log.html

    No matter how you slice it, all of those debug messages containing valuable, private, and confidential data is "stored" and "saved" in a log file managed by the Android mobile operating system. Programmers should NEVER send debug messages that capture and contain valuable, private, and confidential user data to log files and release the app into production to 150 million users.

  45. P 14
    FAIL

    Neutral except

    I don't like automated processes on anything that I haven't by choice enabled. That its silent, background and hidden, makes me NOT want it on my phone, as much as I don't want bloatware on a PC. No choice means no choice. The crux is that I wouldn't have an issue IF I was asked on a support call, to have turned it on, if I needed to, as long as when the issue was fixed I could turn it back off. I don't GAME with my AV running a full scan. Give me an off switch and I wont complain further. Other people thinking on my behalf feels as ill boding as other people thinking for meat all.

  46. Anonymous Coward
    Anonymous Coward

    quite easy to check if you have it

    https://market.android.com/details?id=com.app.ciqchecker

  47. Anonymous Coward
    Facepalm

    Questions you should have asked

    "We do also record the telephone numbers the SMSs are from and to."

    Q. Do you think that the telephone numbers of the people that somone communicates with can be sensitive?

    "One of the reasons for that is there's a huge amount of radio information that gets transmitted."

    Q. Does this include data which could be used to track the user's location - for example the times and identities of the base stations the phone has been talking to, maybe the signal strength too?

    "There are a sequence of key codes that can be typed by the user that cause the software to do things in the control center."

    Q. What is the sequence of key codes that will turn the bloody thing off.

  48. Hud Dunlap
    Holmes

    What about the U.S. Senate

    They can say what they want to El Reg. I want to see their response to Senator Al Franken. Lying to him would be a very bad idea.

  49. Anonymous Coward
    Anonymous Coward

    I'm sorry ...

    But I don't believe you.

  50. Mike Flugennock
    FAIL

    Carrier IQ VP: App on millions of phones not a privacy risk

    Of course, this can only mean one thing: Apps on millions of phones ARE a privacy risk.

  51. Anonymous Coward
    Anonymous Coward

    Smack them!

    I know they might've meant well

    I hate to constantly think bad about everyone who deals with any private data

    But

    Seems to me like Carrier IQ + Telcos need to be smacked upside the head. HARD!

    The more times people are in an uproar - even (or perhaps preferably) one totally out of proportion - the more chances people who work in the same field have at understanding that people are paranoid bastards who do not like anyone secretely snooping around in their data.

    Openly snooping is however fine (see: Facebook). It all really boils down to being able to perform a somewhat informed choice.

    And yes I realise that this is a horribly consequentialist reason for punishing someone, but as we're dealing with companies, it's really the only thing that can have effect!

  52. heyrick Silver badge
    Stop

    All the comments for and against...

    It's like the one with tracking your mobe through a shopping centre... just because it is technically possible doesn't automatically mean it should be done; and certainly in the case of end-user privacy (a concept which has taken quite a beating recently), any sort of consent needs to be explicit and not buried within Terms & Conditions.

  53. Anonymous Coward
    Anonymous Coward

    pls brck my fone strangr

    "The reason the SMS contents and key taps are monitored at all is so they can be used to invoke Carrier IQ programming interfaces". Bloody hell.

    Given that invoking the CIQ API must have a non-zero cost of cpu time and memory space, that because this is a non-public diagnostic tool the error checking will probably be pitiful, can we look forward to a spate of Android DOS attacks invoked purely by spamming a text message? I think we can.

  54. Alister

    Like tiny fish through a net, key taps dropped from memory

    Is that a haiku?

  55. heyrick Silver badge

    All the comments for and against...

    It's like the one with tracking your mobe through a shopping centre... just because it is technically possible doesn't automatically mean it should be done; and certainly in the case of end-user privacy (a concept which has taken quite a beating recently), any sort of consent needs to be explicit and not buried within Terms & Conditions.

  56. Decius
    Black Helicopters

    Logging?

    If you can't get the information after power cycling the phone, it hasn't been logged.

    Guess what else has to monitor every key press? Every active program. The browser also has to see the URL, by the way. I wonder how paranoid these people get about the logging done by car computers.

  57. All names Taken

    I wonder if that is yet another reason for poor battery performance on Android kit?

    (Too many background processes running like most of the time?)

This topic is closed for new posts.

Other stories you might like