Forgot your password?
typodupeerror
Cellphones Android Encryption Privacy Your Rights Online

Android Dev Demonstrates CarrierIQ Phone Logging Software On Video 322

Posted by Soulskill
from the hand-in-cookie-jar dept.
Token_Internet_Girl writes with a followup to last week's news about Android developer Trevor Eckhart, who was researching software from CarrierIQ, installed on millions of cellphones, that secretly logged a variety of user information — from button presses to text message contents to browsing data. CarrierIQ tried to silence Eckhart, but later backtracked. Now, Eckhart has posted a video demonstration of CarrierIQ's logging software. From the article: "The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim. ... The video shows the software logging Eckhart's online search of 'hello world.' That's despite Eckhart using the HTTPS version of Google, which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google. ...the video shows the software logging each number as Eckhart fingers the dialer. 'Every button you press in the dialer before you call,' he says on the video, 'it already gets sent off to the IQ application.'"
This discussion has been archived. No new comments can be posted.

Android Dev Demonstrates CarrierIQ Phone Logging Software On Video

Comments Filter:
  • by GPLHost-Thomas (1330431) on Wednesday November 30, 2011 @06:50AM (#38212330)

    you have to sign the carriers agreement, and in the carriers agreement, there is undoubtedly a clause where you give them permission to collect your data and use it as they see fit

    That would seem right, but only for the time of the contract. What if, as in the video, you have a phone which isn't bound to a contract anymore, and still spying on you?

  • by fsckmnky (2505008) on Wednesday November 30, 2011 @07:06AM (#38212390)

    A contractual agreement to something deemed illegal does not overrule the law.

    It is not illegal, for you to agree, to the carriers collection of the data, which is why regulation specifically making it illegal, or spelling out your rights, is required to stop it.

    I see no reason for a carrier's data collection policy to include keylogging everything a customer does outside of extenuating circumstance (suspected terrorist or something).

    Yes, you, like myself, see no reason "to allow" carriers to collect this data. That said, a carrier has "every incentive to collect" this data. It has commercial value. They can sell it to the government / police for investigative purposes, they can data mine it in order to find hidden value, and every bit of data sent can be counted towards your monthly usage cap, thereby, increasing the odds that you will run over and incur additional charges.

    Please understand I am not arguing on behalf of carriers, merely attempting to point out the reality of the current environment. I don't own a smart phone, as I am aware that the reality of it, is that, I am paying to be spied on.

  • Re:CyanogenMod (Score:3, Interesting)

    by MimeticLie (1866406) on Wednesday November 30, 2011 @07:20AM (#38212462)

    Please don't reply that Android is open source, unless you can show me the sources for CIQ!!!

    Please don't reply that Linux is open source, unless you can show me the sources for Flash or Opera.

  • by fsckmnky (2505008) on Wednesday November 30, 2011 @07:44AM (#38212584)
    Indeed. If the government began a program to spy on everyone domestically, it would undoubtedly cause a huge uproar, and likely be deemed unconstitutional ( at least I hope it would be deemed as such. )

    But if companies collect the data, then the government can simply request the records, and pay the company a fee for retrieving them, as part of an "investigation."

    Web search ... "what are you interested in ?"
    Web analytics ... "what sites are you visiting ?"
    Friends lists ... "who do you know / communicate with ?"
    Mapping ... "where are you going ?"
    GPS / wi-fi detection .... "where are you at right now ?"
    SMS ... "what have you said to whom ?"

    Welcome to the matrix. Good luck flushing yourself from it.
  • by Anonymous Coward on Wednesday November 30, 2011 @07:51AM (#38212612)

    Carrier IQ DENIES that they are recording keystrokes. They deny this right now, on their website in a PDF, that is linked to right at the top of their home page:
    "While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools."

    So even if our agreement with the carrier permits logging/capturing of this data, it doesn't allow you to LIE about doing it. Their software clearly logs data. We don't know if it keeps that data or transmits it back to anyone. But the data is clearly being captured in some fashion as demonstrated by the video.

  • May I suggest... (Score:5, Interesting)

    by aug24 (38229) on Wednesday November 30, 2011 @08:01AM (#38212656) Homepage
    ...someone with skillz makes a freely installable CIQ clone that sends them back fake, randomly generated results.
  • by andydread (758754) on Wednesday November 30, 2011 @08:36AM (#38212812)
    Unfortunately for you it looks like you wont be owning Cell phone of any type. And I suppose you don't own one now. Almost every cellphone from certain carriers has CarrierIQ installed. THis has nothing to do with Google or the underlying operating system. Carrier IQ is crapware that is installed on phones by the CARRIER. And its on Nokia phones and blackberry's along with many many many feature phones. Apple has been tight lipped but don't be surprised if it is found on iphones either. They already have a client available for Iphones. So if the carrier choses to install it you are SOL.
  • by Wyzard (110714) on Wednesday November 30, 2011 @09:05AM (#38212960) Homepage

    In this video, the researcher is looking at debug logs from the phone itself, not network traffic logs showing remote communication. He clearly shows that keystrokes and URLs are being passed to the IQ software running on the phone, but presents no evidence that the data is actually sent to anything outside of the phone.

    Has anyone determined what the IQ software does with all this information besides writing it to the debug logger? Is it actually sent somewhere, or saved to persistent storage on the phone? (I'm no Android expert, but I'm under the impression that debug messages are discarded when there's no debugger attached.)

    Having this software running in the background is sneaky and certainly makes spying more possible than it would be otherwise, but it's not necessarily the huge immediate privacy violation that everyone seems to be assuming it is.

  • by sunderland56 (621843) on Wednesday November 30, 2011 @10:23AM (#38213668)

    I'm curious to know why Apple is never implicated in such privacy and tracking discussions.

    CarrierIQ was discovered because it is a third party program - and so it shows up in the Android debugger. Much of Android is open source, so even if it did not, people could write their own debuggers to expose it.

    Apple develops the hardware, the OS, and the debugger - and it is all closed source. If they wanted to build complete tracking into the kernel, and not have it show up in the debugger at all, they could. So - how do you know that they didn't? Just because nobody has exposed it yet, does not mean that it does not exist.

  • by djrbliss (1926364) on Wednesday November 30, 2011 @10:30AM (#38213748)

    Disclaimer: I have thoroughly reverse engineered CarrierIQ's software.

    This issue has been blown out of proportion. CarrierIQ has hooks that respond to events triggered by keystrokes, web traffic, and SMS messages. It also makes the mistake of printing debugging output containing plaintext of some of this data, which is a pretty bad screwup. Additionally, there's no real reason CIQ should have hooks in those places in the first place.

    What they don't do is actually store any of this information and report it to your carrier (keep in mind I know this because I actually looked at the application). In terms of what's actually being stored, I've seen no evidence that CIQ is collecting anything more than what they have publicly claimed: anonymized metrics data. That doesn't mean users shouldn't be able to opt-out of this software, since it still represents a potential risk to privacy. But at this point, this whole thing has turned into a witch hunt.

    In short, there's a big difference between "look, it does something when I press a key!" and "it's storing all my keystrokes and sending them to my carrier!". This video demonstrates the first, but the second doesn't actually happen. They shouldn't be doing what they're doing, and users should be able to opt out, but this isn't nearly as evil as people are making it out to be.

  • Re:Not PCI compliant (Score:5, Interesting)

    by Dan East (318230) on Wednesday November 30, 2011 @11:34AM (#38214644) Homepage Journal

    And therein lies the solution to this problem. As soon as someone hacks into their database and steals a ton of credit card info, personal data, etc, there will be enough uproar and backlash to kill off CarrerIQ, and bite carriers like AT&T that preinstalled it.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...