Android Dev Demonstrates CarrierIQ Phone Logging Software On Video 322
Token_Internet_Girl writes with a followup to last week's news about Android developer Trevor Eckhart, who was researching software from CarrierIQ, installed on millions of cellphones, that secretly logged a variety of user information — from button presses to text message contents to browsing data. CarrierIQ tried to silence Eckhart, but later backtracked. Now, Eckhart has posted a video demonstration of CarrierIQ's logging software. From the article:
"The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim. ... The video shows the software logging Eckhart's online search of 'hello world.' That's despite Eckhart using the HTTPS version of Google, which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google. ...the video shows the software logging each number as Eckhart fingers the dialer. 'Every button you press in the dialer before you call,' he says on the video, 'it already gets sent off to the IQ application.'"
Re:Can't someone sue the carriers? (Score:5, Interesting)
you have to sign the carriers agreement, and in the carriers agreement, there is undoubtedly a clause where you give them permission to collect your data and use it as they see fit
That would seem right, but only for the time of the contract. What if, as in the video, you have a phone which isn't bound to a contract anymore, and still spying on you?
Comment removed (Score:5, Interesting)
Re:CyanogenMod (Score:3, Interesting)
Please don't reply that Android is open source, unless you can show me the sources for CIQ!!!
Please don't reply that Linux is open source, unless you can show me the sources for Flash or Opera.
Comment removed (Score:5, Interesting)
Re:Can't someone sue the carriers? (Score:5, Interesting)
Carrier IQ DENIES that they are recording keystrokes. They deny this right now, on their website in a PDF, that is linked to right at the top of their home page:
"While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools."
So even if our agreement with the carrier permits logging/capturing of this data, it doesn't allow you to LIE about doing it. Their software clearly logs data. We don't know if it keeps that data or transmits it back to anyone. But the data is clearly being captured in some fashion as demonstrated by the video.
May I suggest... (Score:5, Interesting)
Re:Can't someone sue the carriers? (Score:4, Interesting)
But is the data actually transmitted anywhere? (Score:5, Interesting)
In this video, the researcher is looking at debug logs from the phone itself, not network traffic logs showing remote communication. He clearly shows that keystrokes and URLs are being passed to the IQ software running on the phone, but presents no evidence that the data is actually sent to anything outside of the phone.
Has anyone determined what the IQ software does with all this information besides writing it to the debug logger? Is it actually sent somewhere, or saved to persistent storage on the phone? (I'm no Android expert, but I'm under the impression that debug messages are discarded when there's no debugger attached.)
Having this software running in the background is sneaky and certainly makes spying more possible than it would be otherwise, but it's not necessarily the huge immediate privacy violation that everyone seems to be assuming it is.
Re:Can't someone sue the carriers? (Score:5, Interesting)
I'm curious to know why Apple is never implicated in such privacy and tracking discussions.
CarrierIQ was discovered because it is a third party program - and so it shows up in the Android debugger. Much of Android is open source, so even if it did not, people could write their own debuggers to expose it.
Apple develops the hardware, the OS, and the debugger - and it is all closed source. If they wanted to build complete tracking into the kernel, and not have it show up in the debugger at all, they could. So - how do you know that they didn't? Just because nobody has exposed it yet, does not mean that it does not exist.
Not exactly accurate... (Score:4, Interesting)
Disclaimer: I have thoroughly reverse engineered CarrierIQ's software.
This issue has been blown out of proportion. CarrierIQ has hooks that respond to events triggered by keystrokes, web traffic, and SMS messages. It also makes the mistake of printing debugging output containing plaintext of some of this data, which is a pretty bad screwup. Additionally, there's no real reason CIQ should have hooks in those places in the first place.
What they don't do is actually store any of this information and report it to your carrier (keep in mind I know this because I actually looked at the application). In terms of what's actually being stored, I've seen no evidence that CIQ is collecting anything more than what they have publicly claimed: anonymized metrics data. That doesn't mean users shouldn't be able to opt-out of this software, since it still represents a potential risk to privacy. But at this point, this whole thing has turned into a witch hunt.
In short, there's a big difference between "look, it does something when I press a key!" and "it's storing all my keystrokes and sending them to my carrier!". This video demonstrates the first, but the second doesn't actually happen. They shouldn't be doing what they're doing, and users should be able to opt out, but this isn't nearly as evil as people are making it out to be.
Re:Not PCI compliant (Score:5, Interesting)
And therein lies the solution to this problem. As soon as someone hacks into their database and steals a ton of credit card info, personal data, etc, there will be enough uproar and backlash to kill off CarrerIQ, and bite carriers like AT&T that preinstalled it.