back to article Carrier IQ VP: App on millions of phones not a privacy risk

More than 48 hours after a software developer posted evidence Carrier IQ monitored the key taps on more than 141 million smartphones, a company official has come forward to rebut the disturbing allegations. And he's provided enough technical detail to convince The Register the diagnostics software doesn't represent a privacy …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    I can see the need for this, truly I can

    What I'm more worried about is the fac tthat it's pre-installed and that it can be used as an attack point for someone to take the rights that this software has and to extend it further.

    My radio connection to the network is crap enough as it is (Maybe this will help) but do I want some other shmuck to exploit this software and to start doing stuff with it that I have no control over? I didn't agree to their EULA or sign a legal agreement with them in the first place!!

    This seems to me like a way to get into a few million handsets with your eyes closed.

  2. Spud2go

    @~mico

    From Cyanogenmod website, 02-12-2011

    http://www.cyanogenmod.com/blog/cyanogenmod-will-never-have-carrier-iq

  3. Anonymous Coward
    WTF?

    To put it another way.

    Yes Officer, I stole 50,000 ebooks from Amazon, but I didnt look at any of them, so I havent done anything wrong".

    Violating the privacy and data protection laws in (probably), every country in the world, but its ok, they were only following orders.

  4. Brett Weaver
    Thumb Down

    I'm Sorry But..

    Not querying the company about their initial reaction, and the inferences we are allowed to draw from that, means that this is a puff piece.

  5. WonkoTheSane

    Have you got it?

    Try "Voodoo Carrier IQ Detector" from the Android Market.

    (Says no on my Orange Samsunge Galaxy SII)

    1. Zippy the Pinhead
      Thumb Up

      @wonko

      Thanks for the idea about doing a search for Carrier IQ in the Market

      Here's something curious.. I am on a Droid Razr.. and on Verizon in fact.. and I've downloaded 2 different Carrier IQ detector utils and neither have have this rootkit. So I can only assume that it was never installed or Verizon trying to head off a shitstorm of protest has turned it off on my device. Either that or the applications I downloaded from the market do not actually work.

  6. Christian Berger
    Facepalm

    The radio thing doesn't make much sense

    After all, particularly on UMTS/WCDMA you can simply use the data your base-stations hand to you to not only precisely locate the position of the mobile station, but also determine the path loss as well as the impulse response of the path. That's way more than you can find out via talking to the baseband chip.

    In short it demonstrates what is wrong with the industry. The carriers believe that the mobile station is theirs and they can decide what you do with it. This may be legitimate if they give it to you for free or very cheap, however in most cases you still pay the full price, so you should get full access to the device. This also means I should not only get the right to execute any software and the right to not execute software I don't want, but also to have a sensible way of accessing the device, i.e. a shell which is not just a bunch of buttons.

  7. LarsG

    IF IT WAS SO ABOVE BOARD....

    why was it hidden, why say nothing about it until forced to?

    Imagine buying a car and only being told it is fitted with a tracker as standard 10 years after you buy it.

    Very unsavory and very suspicious.

  8. Anonymous Coward
    Anonymous Coward

    read their own words...

    “IQ Insight Experience Manager overcomes the drawbacks of traditional techniques of user testing such as focus groups, where sample size is small and the process is slow. Experience Manager takes customer experience profiling to an advanced level with multiple levels of granularity, from the entire population, to comparative groups, down to individual users– all at the touch of a button,” he continued.

    IQ Insight Experience Manager uses data directly from the mobile device to give a precise view of how the services and the applications are being used, even if the phone is not communicating with the network."

    http://www.carrieriq.com/company/PR.Experience_Manager.CTIA-09.090325.pdf

    that is from a 2009 press release - what appalling, fawning journalism from the Reg... don't believe what they tell you when they're on the defensive, better believe their sales boasts to industry insiders.

    These guys have the ring of arms dealers with the same defences ... 'if we weren't doing it, someone else would' .... 'we just sell the stuff, what our customers do with it is out of our hands' ... 'if you think what we do is bad, just look at what our customers have got on you without our help!'

  9. Will Godfrey Silver badge
    Unhappy

    Don't trust them an inch!

    Everything I hear just makes me more convinced that this is something extremely invasive and prone to abuse that I don't want anywhere near a phone of mine - or anyone else's, for that matter.

    I'm astonished that El Reg sees this any differently.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't trust them an inch!

      An interview with Carrier IQ does not signify trust or approval.

      1. Anonymous Coward
        WTF?

        What about "And he's provided enough technical detail to convince The Register the diagnostics software doesn't represent a privacy threat to handset owners."

        Does that not signify trust and approval?

        1. Mark 65

          Bizarre approval from El Reg, especially after the article contains...

          "But except in rare circumstances, that data is dumped out of a phone's internal memory almost as quickly as it goes in. Only in cases of a phone crash or a dropped call is information transferred to servers under the control of the cellular carrier so engineers can troubleshoot bottlenecks and other glitches on their networks."

          So it's just fine and dandy-o to dump out all those nice key taps and websites (like banking) as long as a fault occurs? Really?

        2. Mike Kamermans
          Happy

          Just because the monitor is unethical, doesn't mean the product is a security or privacy risk, let's be very clear about that.

          If I slap a signal analyser on your keyboard cord, lo and behold I can see exactly what you're typing. That doesn't make the keyboard a privacy threat. Even if I hook it up to a device that looks at data going by in real time, it's not a privacy threat because it doesn't log.

          If it logs, THEN it's a privacy threat, and punitive measure are probably in order. If it doesn't, this is an analytics tool, and any "keylogging" argument is nonsense. I for one look forward to the definitive call based on their source code. If it logs, they will be in a ridiculous amount of trouble. If it doesn't, this was a storm in a teacup.

  10. Anonymous Coward
    Anonymous Coward

    Unacceptable, plain and simple

    This article misses the most important argument against this form of software. It consumes resources on the users handset to perform a service that does not benefit the consumer.

    Then this Coward admits that it can be an efficient spy-tool when he says that it is possible for the software to change it's behaviour based on "proprietary" messages received via SMS. Furthermore, operators and manufacturers have the ability to sneak in additional spying capabilities through software upgrades.

    This kind of software has IMHO no place on a users handset in any shape or form. There is no excuse.

    1. Eddie Edwards

      You don't think the ability for the operator to diagnose user problems benefits the consumer?

  11. clanger9

    What happens when you change the SIM?

    It was claimed elsewhere that CarrierIQ continues to send info back to the carrier even if you unlock the handset and change the SIM to another provider. Is this true?

    It would be nice if you could ask this question directly to CarrierIQ.

  12. stu 4
    Black Helicopters

    filters

    The filters are key to this, and not an area that was investigated really in the interview.

    The fact that they are 'filtered' means FA. filtered for what ? And more importantly - what controls the filter ? is it fixed ? is it controllable by these control SMSes ?

    If, as I imagine it is, an SMS controllable filter, then what's to stop a control SMS saying - for the next 24 hours filter out nothing - upload it all.

    You'd have to be very privacy conscious to NOT design the filter control to be general enough to work like that - that would be the easiest way to code it - i.e. have an 'exclude XYZ || include XYZ' ACL type mechanism.

    So did the IQ bloke lie - no. Was he asked the right questions ? no.

    1. trashbat

      "Filters" explained

      It's not articulated brilliantly by the presumably non-technical chap, but here's what I understand their filtering to mean - as a professional Android developer.

      1. You wish to know when things of particular interest to you have happened; let's say (a) receipt of an SMS that is intended for interpretation by your application, and (b) when a certain key sequence is pressed.

      2. In order to do this, the application subscribes to the relevant system event (broadcast intents on Android). This is a general purpose subscription; in our scenario it is (a) receipt of any SMS, and (b) any key press.

      3. Your application receives the events when they happen and has the responsibility of working out if they are relevant; in this instance, perhaps it is (a) does the SMS begin with some special sequence, and (b) do the recently recorded key presses still form any expected sequence? This is the 'filter' being described.

      4. If it wasn't of interest, you drop the event and do no further processing. If it was, you respond appropriately; for instance hide the SMS from the user and perform its instruction as interpreted by the app logic.

      Now, Carrier IQ have caused some degree of alarm by adding debug logging for all events at step 3, rather than those of relevance.

      Unless you reverse engineer it or at least perform traffic analysis, you will never be sure that the app doesn't have some sleeper mechanism or make use of supposedly irrelevant data. One thing I can say is that if you persisted ALL of these events, you would significantly reduce the phone's responsiveness and eventually run out of storage.

  13. Anonymous Coward
    Anonymous Coward

    Occupy ElReg

    "Biting the hand that feeds IT"?

    No, in this case it's "Licking the wounds of the hand that feeds IT".

    The real questions were not asked. Why?

    1. Destroy All Monsters Silver badge
      Facepalm

      What do you mean "Why"?

      Because the fracking carrier asked us to and forks over money for it?

  14. Anonymous Coward
    WTF?

    Translation

    There is a hidden piece of software that looks at everything the phone does and in realtime decides that it won't do anything with it. Oh and this software can be configured to do something else by receiving an sms that the user will never see and has no way of knowing what the sms changed.

    And somehow this is all ok and you are satisfied there is no risk?

    Ask the important questions please. Why was this software kept secret. Sure the telcos installed it but who the eff did they get it from? IQ cant just say "it's them, not us" when they've had this software installed and running for so long without so much as a peep.

    Decides in realtime does it? So you telling me this has no effect on battery life, responsiveness, cpu load etc at all. Somehow I doubt it..

    You admit the profile of what to send and capture can be changed over the air and that some telcos do receive a list of apps youve installed and used on the phone.

    And this is ok somehow. No problem with having all the apps you use on your phone transmitted. Really now..

    1. Anonymous Coward
      Anonymous Coward

      +1: telco installed spyware rootkit

      This goes way beyond any ISP and propsed DPI infrastructure. They just wanted to know what your HTTP connections were, but your computers were a black box to them, as were HTTPS connections.

      This rootkit -let's give its true name- clearly gives updates on the apps running -so that carriers can stamp down on tethering (I always wondered how they did that -no more need to wonder), find out what users do with their phones etc.

      This has nothing to do with call quality. Even customer diagnostics could be handled with a diagnostics app. No: this is datamining you, the customer, for better marketing and billing. And if you run up extra charges per month in the process, well, all the better.

      Sadly, you can be sure whoever wrote it got their security all wrong and now there is a rootkit in most of the US phones, one controllable from SMS calls, those phones are in trouble.

      All those claims about Malware on Adroind? Not needed. It came preinstalled by the telcos

    2. Drew V.

      Also, if the telcos installed it, why did they install it? What's the incentive? Were they payed off or did someone lean on them, or is there some other potential profit motive?

      Cui Bono?

  15. Anonymous Coward
    Facepalm

    Fishing analogy? or actually phishing?

    What a wasted opportunity to call it like it really is, a "phishing net".

    Very poor show El Reg, your standards were clearly lowered in order to score an apparently exclusive interview with Mr Coward.

  16. Anonymous Coward
    Anonymous Coward

    So many toys thrown out of the pram here, can't get into the room...

    The carriers have all your traffic, calls and call logs anyway, because they "carry" it, and repressive regimes already log everything anyway.

    If they were storing and forwarding to you know who, noone would know, nor could acknowledge it because of its secrecy, and acting on any information gleaned would compromise that secrecy, so your affair with the secretary or whatever nefarious drug deals or tax dodges or hacking you're engaged in are ignored. However, if you're planning a terrorist operation, then someone needs to know, even if any intel gained is inadmissible in court.

    IF a government has honour and integrity to follow this codex, isn't it something that people would want?

    However, what is of concern is if a 3rd party can exploit it.

  17. murbul
    WTF?

    App snooping

    I'm inclined to believe that they don't log keypresses and other sensitive info, but then the guy says this:

    "We have others . . . where they get an upload once a day that will contain information about what applications you've been using."

    This is a massive WTF to me. What right does a carrier have to log this kind of info? Why should they know what apps I run? Surely people would be outraged if their ISP (somehow) maintained a list of every piece of software running on your PC, even if it is only for "diagnostic and performance analysis purposes". I know this information is accessible via the Android API to any app, but for the carrier to silently track and upload this using a hidden pre-installed app that can't easily be removed is a huge breach in my opinion.

    That they admit this and seem to see no problem with it speaks volumes. What else do they upload?

  18. Anonymous Coward
    Anonymous Coward

    They are missing the point.

    If you don't choose to share that information CIQ should not be running at all. Incidentally. I am running an old Cyanogen mod, and it doesn't have CIQ (as far as i can see), when i logcat, i don't see key presses, but when i call, i do see the number dialed, it also logs the sms i receive, including the number. It logs the full https:// requests i make.

    it logs my location every few seconds:

    D/NetworkLocationProvider( 111): onCellLocationChanged [...]

    And a few other things that shouldn't be logged. I could easily write an app that "filters" this information the same way CIQ does.

    I am not satisfied with their response at all. every admin should know that sensitive information should not be logged, especially not on the main system log. It looks to me like untidy programming, they just didn't remove the debug output.

    But i am not convinced that CIQ are the culprit. i think it's actually google developers which are logging this info from deep inside the OS.

    from CIQ's response, i think there is another much more serious vulnerability though, but a hard one to exploit. if you were to have a fake base station, you could send those system update SMS, which will update the Android OS with your custom updates. Am i wrong?

    1. trashbat

      Update SMS

      Having replied to that, I realise you mean something different - the system update notifications that point towards a new ROM to flash. The updates are typically done using a standard (OMA DM), which may or may not involve SMS - you would have to look at that for details, but I'm pretty sure there are security challenges built into it such that a simple spoofed message wouldn't cut it.

    2. trashbat

      Log files, SMS

      Reading system log files requires a system permission, so at least a user would have to opt in to that. NetworkLocationProvider is the Android OS; whether that information should be logged or not is questionable but frankly if you've got on to the phone with the permissions to read it, you're only a baby step away from reading the source information yourself.

      As for the SMS, basically: no. You can't update the Android OS from app land, at least not without root privileges, and even then it would be akin to SQL injection - i.e. could you break CIQ's SMS parser & associated logic so badly that you could use it to execute arbitrary system commands? I'd hope not!

    3. Anonymous Coward
      Anonymous Coward

      if you were to have a fake base station

      You mean the same fake base stations the Police now routinely deploy to intercept/block mobile phone traffic at protests?

    4. trashbat

      Reading system log files requires a system permission, so at least a user would have to opt in to that. NetworkLocationProvider is the Android OS; whether that information should be logged or not is questionable but frankly if you've got on to the phone with the permissions to read it, you're only a baby step away from reading the source information yourself.

      As for the SMS, basically: no. You can't update the Android OS from app land, at least not without root privileges, and even then it would be akin to SQL injection - i.e. could you break CIQ's SMS parser & associated logic so badly that you could use it to execute arbitrary system commands? I'd hope not!

  19. Anonymous Coward
    Anonymous Coward

    Capturning URLs

    According to http://www.wired.com/threatlevel/2011/12/carrier-iq-data-vacuum/ CIQ are seeing URLS and are quite capable of trapping that information:

    "He said that the information is useful for users who call the phone company complaining, for example, that Facebook won’t load.The carrier’s operator, he said, might tell the complaining customer that the reason it won’t load is because the customer is misspelling “Facebook.”

    “They could say, ‘Facebook is spelled F-A-C-E-B-O-O-K,’” he said. “We certainly recognize that as a future thing for advertising, clearly having that information from a marketing perspective is very interesting.”

    Since the company is getting the URLs from the phone, they are able to record encrypted search terms such as https://www.google.com/#hl=en&sugexp=ppwe&cp=3&gs_id=p&xhr=t&q=abortion+clinics. By contrast, your carrier, which sits between you and the internet, would normally only see https://www.google.com/ — for encrypted searches."

    So - Care to re-asses your statement that everything is hunky dory and A-OK with CIQ's application.

    1. Vic

      > By contrast, your carrier, which sits between you and the internet,

      > would normally only see https://www.google.com/ — for encrypted searches

      Not even that.

      SSL is used before any of the GET. Even the FQDN is encrypted. This is why it is essentially impossible[1] to have multiple HTTPS virtual servers on the same IP/port combination.

      Vic.

      [1] Yes, of course there are exceptions when you can get a key signed with wildcards in it. But that doesn't happen in the general case unless you have a *lot* of clout...

  20. bigphil9009

    The idea that this is all there for our benefit just doesn't wash with me. The part where he says that they monitor all key presses so that an operator can ask you to key a certain set of key presses just doesn't sound plausible; how many carriers actually provide that level of service? I just tried this with O2. I called them about having had some dropped calls and they just said to try them again or go to an area if stronger signal. No mention at all of gathering information to send back.

  21. Gil Grissum

    Disturbing

    "Yes, a key logger was put on your new laptop by the manufacturer, and yes they intercept every key stroke, but no, they don't save any logs."

    It all started with them threatening a security researcher when it was found by him that their software was purchased for use by Carriers, does not allow any method for the handset owner to opt out, and logs every keystroke. They only dropped that threat when the EFF got involved. Now they are using the Reg to backpedal and claim innocence and the reg is buying that? Highly suspect to me. Glad I got the iPhone 4S and turned off my HTC EVO 4G. Not selling it on Ebay as planned, as the mere presence of the CIQ analytics software means that someone else can surely glean info from it.

    1. Anonymous Coward
      Anonymous Coward

      Obvious

      Obvious troll is obvious

    2. zen1

      Maybe I'm wrong

      but I thought CIQ was installed on the 4s

    3. Anonymous Coward
      Anonymous Coward

      "...but no, they don't save any logs*"

      * unless directed to by a secret SMS we can send to your phone, to alter the logging behaviour and endpoints, which of course we would never dream of doing, unless asked nicely by certain three-letter-acronymed organisations. But don't worry, if you've nothing to hide, you've nothing to fear... and it doesn't do that by default, so what's all the fuss about anyway?

  22. All names Taken

    At 3 pages...

    Methinks the VP doth protest too much.

  23. spock_it
    Big Brother

    Everybody is a hacker today

    It is not the phone user role to be carrying debugging devices, especially not knowing about them. As users we pay for a finite product. Carriers should do their tests outside production environment. What we see is a scheme, justifying obvious data theft by 'debugging'. We know what debugging is and next to it seats hacking and cracking . The difference is from who is paying for the job. If the the debugging tool is in my pocket and not aware about it this is at least hacking, and definitely not debugging.

  24. heyrick Silver badge
    Stop

    All the comments for and against...

    It's like the one with tracking your mobe through a shopping centre... just because it is technically possible doesn't automatically mean it should be done; and certainly in the case of end-user privacy (a concept which has taken quite a beating recently), any sort of consent needs to be explicit and not buried within Terms & Conditions.

    [Hello? Is posting broken? Is My Posts broken? Third attempt...]

    1. Hud Dunlap
      Coat

      are the posts broken

      Sometimes I wonder. My post saying that the response to Senator Al Franken is the one that matters.

      I thought I left my phone in my coat.

  25. Anonymous Coward
    Anonymous Coward

    I'll take the VP at his word

    At the bottom of the first page of the article he says:

    “What the video is depicting is the application printing out what are known as bugging logs,"

    Not 'de-bugging' logs. I thought it was simply an error on his part, but on reflection, I think he was being honest.

    It is bugging software and there is no excuse for installing it without telling the user up-front before a deal is signed.

  26. Lloyd
    Happy

    Andrew Coward

    It just doesn't get any less funny.

  27. Anonymous Coward
    Anonymous Coward

    A fairly considered article I think

    So its not logging, although it is certainly intercepting keystrokes.

    I find the response OK from a privacy perspective but...

    the fact an app CAN intercept that much data is an issue to me. Regardesll of CarrierIQ's assurance this means that other stealth services could also intercept the device's internal communications and harvest lots of data for less honarble purposes.

    This may not be the bad-guy app but the door is clearly open !

  28. Nick Pettefar

    Secure Communications

    You should never trust telephones for secure communications.

  29. Andy Watt
    FAIL

    Forget security for a moment... a little-discussed angle... power consumption and performance?

    OK, this (possibly) operator-loaded spyware operates "in the RAM space" - but how many cycles is it consuming watching EVERY keypress - spying on the OS event loop - seriously, this thing sounds like it's hooked in like a debugger: you don't run anything compiled for debug on your laptop normally, because it's HUGE in comparison and consumes resources with all the extra work.

    Now take that overhead, and impose it on a limited-resource platform, 100% of the time, with a mandated download period when the stats are sent to the carrier.

    - How much battery life is being wasted?

    - How much did you pay, en masse, for the electricity to collect and send this data?

    - How much of your device's wow factor and smooth, slick UI transitions has been compromised by this crapware?

    The lack of EXPLICIT opt-in (f*** this "operator small print" bollocks) is unforgiveable.

    Oh - and the fella who reckoned this would get "most users" rooting their phones to install CyanogenMod? Forget it. Most "users" will poddle along as usual, blissfully unaware anything is going on, apart from having to charge their phone every sodding day. El Reg is not a repository of "normal people" (meant with the best intentions!)

    1. trashbat

      Performance

      The underlying events like key presses are already produced and dispatched to interested parties by the system (e.g. the keyboard app!), so it's not like you are running a continuous monitoring thread on top of everything else. Obviously nothing comes for free: your processing of the event adds some cycles, but provided it's just logic and not say putting them in a database, it's not anything to write home about. You're right that debug log output adds to this overhead unnecessarily, but again without great penalty.

      In the context of other apps it all adds up, but in terms of that alone, I'd bet that you couldn't tell the difference.

      Probably more of an issue is that the available space and RAM are going to be reduced to accommodate both the app and its constant presence; whatever it maintains in RAM reduces the breadth of usable multitasking, and just having it on the device reduces the available space for third party apps which is often comically low to begin with.

      Data usage is more of a contentious issue; if you are clever, you are opportunistic about when you send traffic - when the phone is already awake & in use, for instance, rather than waking everything up just to do it at a specific time. I would expect the traffic to be zero-rated (not charged) by the operator, but I don't know for sure.

      1. heyrick Silver badge

        Performance?

        I had a little app that stayed resident (Android doesn't seem to like to kill stuff that you're done with) and while doing NOTHING it sucked life out of my battery such that I couldn't manage eight hours of MP3 with radio comms off. It is certainly possible to make something slow and laggy that strangles the hardware, as MotoBlur users may attest...

This topic is closed for new posts.

Other stories you might like