Forgot your password?
typodupeerror
Cellphones IOS Privacy Android Iphone

Carrier IQ Software May Be in iOS, Too 234

Posted by timothy
from the y'know-to-be-fair dept.
New submitter Howard Beale writes with this excerpt from The Verge: "To date, the user tracking controversy surrounding Carrier IQ has focused primarily on Android, but today details are surfacing that the company also may have hooks into Apple's iOS. Well-known iPhone hacker Chpwn tweeted today that versions at least as recent as iPhone OS 3.1.3 contained references to Carrier IQ and later confirmed it's in all versions of iOS, including iOS 5." The details are still emerging; however, iPhone users will be happy to hear that while it's reported that the software is available to the OS, "the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default."
This discussion has been archived. No new comments can be posted.

Carrier IQ Software May Be in iOS, Too

Comments Filter:
  • by Anonymous Coward on Thursday December 01, 2011 @10:44AM (#38225772)

    It matters because what the contract allows is ambiguous at best and definitely does not cover all that CarrierIQ is capable of (what it is configured for on a given phone from a given carrier may be a different story). In fact, keystroke logging of text messages may be in violation of federal wiretap laws, particularly if the logging continues even when the phone is not connected to a cellular network.

  • by Anonymous Coward on Thursday December 01, 2011 @10:51AM (#38225836)

    Confirmed that with tcpdump have you? Apple have hidden / obfuscated this nasty software hoping no one would notice it. That's pretty damning in itself, even if they have the decency to give it a config screen (assuming the screen is real and the code honors the settings).

  • by Rogerborg (306625) on Thursday December 01, 2011 @10:52AM (#38225840) Homepage
    Good news: last time you looked, he was still sitting in the back and hadn't stabbed you yet.
  • by alen (225700) on Thursday December 01, 2011 @10:53AM (#38225860)

    carriers and handset makers need the ability to monitor their networks for problem cell sites and areas of low to no signal as well diagnostics about the phone and any problem apps.

    if you go for tech support it's not like the people magically know everything that is wrong with your phone. the diagnostics data is collected and analyzed. if you complain of dropped calls its important to know where they are occuring

  • by Lunix Nutcase (1092239) on Thursday December 01, 2011 @11:00AM (#38225934)

    That's funny cause I don't remember Goggle, HTC, etc. telling anyone about this on Android phones. Oh, I forgot. Apple baaaaaad!

  • by Anonymous Coward on Thursday December 01, 2011 @11:05AM (#38225966)

    Apple doesn't need it. Hint: it's in the product's name. The carriers want it.

  • by thisnamestoolong (1584383) on Thursday December 01, 2011 @11:06AM (#38225992)
    It is not, however, important for them to have the keystrokes that you enter into your phone before sending encrypted communications. There is NO WAY that this is not a violation of the law if it is not explicitly mentioned in the ToS, as keystroke logging could never be remotely construed as even remotely necessary for system diagnostics; its only purpose is the violation of privacy.
  • by Lucky75 (1265142) on Thursday December 01, 2011 @11:17AM (#38226100)
    Of course, when Apple does it, it must be okay. If other maufacturers do, BURN THEM AT THE STAKE!
  • by Bill_the_Engineer (772575) on Thursday December 01, 2011 @11:19AM (#38226132)

    since android is open you can just compile the code yourself and install a copy of the OS on your phone without this

    Yea lets bring out the "android is open" mantra. Conveniently leave out the rooting part, the waiting for Google to decide to release the source code, and waiting for groups like CyanogenMod to make a rom image for your phone.

    I don't have an iPhone but if I did I could easily say I can do [insert special neat trick] with my iPhone after jail breaking it. There really isn't much of a real difference for people with the initiative. Especially if you depend on other people to do the real work for you.

    Let's keep the discussion on phones as delivered to the average consumer.

    Now take a deep breath and rationally think this through. Which is easier (for anyone)?

    1. Turning off the settings using the menus within the iPhone, or

    2. Downloading a rom image from CynamodGen, rooting your Android phone, and reinstalling Google binaries and reseting all your user settings.

  • by Desler (1608317) on Thursday December 01, 2011 @11:27AM (#38226220)

    Thanks for showing how much of a fanboi you are. Hiding software with keyloggers is okay cause Android is open source! But Apple baaaad because they have it disabled by default and easily turned off by one settings switch rather than having to reflash your phone.

  • by DeadCatX2 (950953) on Thursday December 01, 2011 @11:42AM (#38226384) Journal

    At least according to US laws, the content of your communications are still considered private. It's just the destination and time of communication (bookkeeping data) that has no expectation of privacy.

    The fact that SMS keystrokes can be recorded is clearly a violation of privacy.

    I'm also quite worried about the fact that I have to put the password for my work account into my phone in order to receive my work emails. I expect those to be private as well, especially since the password field is masked with *'s (which definitely implies that the password is private). The fact that some previously unknown company may know my work password is frightening to me.

  • by tobiasly (524456) on Thursday December 01, 2011 @11:56AM (#38226546) Homepage

    I don't have an iPhone but if I did I could easily say I can do [insert special neat trick] with my iPhone after jail breaking it. There really isn't much of a real difference for people with the initiative. Especially if you depend on other people to do the real work for you.

    Um, please define "special neat trick". If you think there "isn't much of a real difference for people with the initiative" then you obviously haven't participated in the Android custom ROM community. iPhone has nothing like it, and the reason for that is that Android is open-source.

    Is it a perfect, fully open community driven hacker's utopia? No, but I blame the carriers for that much more than Google. Sure they keep their crown jewels (Gmail, Maps etc.) closed and proprietary but they've certainly raised the bar for openness on mass-market consumer devices and they deserve credit for that.

    Now take a deep breath and rationally think this through. Which is easier (for anyone)?

    1. Turning off the settings using the menus within the iPhone, or

    2. Downloading a rom image from CynamodGen, rooting your Android phone, and reinstalling Google binaries and reseting all your user settings.

    Can you tell me with any certainty that Option 1 absolutely prevents any such data from being sent to the carriers or CarrierIQ?

    And you forgot Option 3, which is to vote with your wallet and buy a Nexus device, which doesn't have Carrier IQ, which Google releases the source code for (including all binary drivers where source isn't available) as soon as, or (with 4.0) before the device launches, and is the most open, hacker friendly mass-market consumer mobile device in the US today.

  • by Culture20 (968837) on Thursday December 01, 2011 @12:02PM (#38226628)

    Part of the agreement is to allow Apple and the cellular carrier to monitor and be able to diagnose problems. One has zero expectation of privacy anyway with a cell phone, so having software which is present as per a signed contract is to be expected.

    Keylogging my username and password for my https or ssh connections is definitely not part of the agreement as I understood it (and a valid contract is a meeting of the minds, not an evil trap full of gotchas), no any other data that I might be typing in to encrypted or even non encrypted sessions. Sure, I admit that the non encrypted sessions might be listened to by someone, but the expectation is that the someone in that scenario is not my phone provider using a tool the installed before I bought it.

  • by Anonymous Coward on Thursday December 01, 2011 @12:25PM (#38226908)

    since android is open you can just compile the code yourself and install a copy of the OS on your phone without this

    News: $ANDROID_DEVICE has $PRIVACY_FLAW, made worse by $UNPATCHED_BUG and $CARRIER_BACKDOOR.
    iOS Fanboys: lol android sux!
    Android Fanboys: That's okay, because Android is Open(TM), and anyone can easily fix this by installing their own version of Android.
    iOS Fanboys: yeah, but no normal person will do that, also you're nerds.

    News: iPhone has $PRIVACY_FLAW, made worse by $UNPATCHED_BUG and $APPLE_BACKDOOR
    Android Fanboya: lol apple sux!
    iOS Fanboys: That's okay, because Apple will fix this in the next version, and anyone else can fix this by jailbreaking
    Android fanboys: yeah, but users shouldn't deal with evil companies, also you're clueless sheep.

  • by Sloppy (14984) on Thursday December 01, 2011 @12:25PM (#38226914) Homepage Journal

    Let's keep the discussion on phones as delivered to the average consumer.

    Why? What a boring discussion that would be. But ok, here it is: users, carriers, and manufacturers have conflicting interests, and software which serves counter-user interests is almost always bundled with the hardware, which is why average consumers never end up with good phones.

    There. Now that discussion is over, let's move the discussion on how to get a good phone, i.e. how to avoid being an average consumer.

    CyanogenMod is one way to get a pretty decent one. Buying an out-of-production and doomed Maemo is another. Anyone know of any other options?

  • Re:Reassuring? (Score:5, Insightful)

    by jc42 (318812) on Thursday December 01, 2011 @12:43PM (#38227120) Homepage Journal

    Does your mom have this choice? I know mine would have no clue.

    Similarly with mine. But this is perhaps best answered with the canonical auto analogy: My mom also wouldn't have a clue about her car's transmission. Does that mean that transmissions should be "closed" systems that can't be worked on by independent experts (both professional and amateur)?

    Saying that something should be "open" doesn't imply that we think that everyone is expected to hack at it themselves. It means that people who don't (care to) know about the details can hire someone who does know. That way people can get their gadgets' problems diagnosed and fixed. Without this, diagnosis and repair can only be done by the manufacturer's people. Many corporations have a history of hiding known problems even when people are dying from them.

    If your only choice is to take it to the dealer, you've just been set up as an easy mark. And when it comes to the low-level details of comm devices, you've been set up to have your identity stolen and your bank accounts emptied. You only defense against this is to insist that your stuff (whose innards you don't care about) be open to investigation by people other than the ones who sold it to you.

    Actually, the auto analogy applies there pretty well, too. Lots of large organizations have their own auto/truck maintenance & repair departments. They don't buy vehicles without shop manuals, because they want their own people to do the repairs. This isn't saying that everyone who buys a vehicle should have a shop manual and do their own repairs. It's just saying that you'd be a fool to buy a vehicle for which the shop manuals aren't available. Without shop manuals, a vehicle generally doesn't sell well to large organizations who can afford their own staff of experts.

    (Though this analogy does have its limits. There are a few high-end extremely expensive cars whose buyers always have work done by a dealer's specialized mechanics. This might apply to super-computers, too. But in those cases, the specialized mechanics still have all the manuals they need to work on the low-level components. And such cars aren't mass-market products.)

  • by amicusNYCL (1538833) on Thursday December 01, 2011 @01:06PM (#38227422)

    carriers and handset makers need the ability to monitor their networks for problem cell sites and areas of low to no signal

    First, handset makers don't have networks or cell sites. Second, why do carriers need to use my device to test their network, they don't have their own equipment to do that? And if my device is transmitting diagnostic data, why the hell are they charging me data fees to send them diagnostics? I should be charging them. The point is that they don't need to use my device to test their network. And if they're going to ask me to do that, they sure as hell better tell me and better give me a way to opt out. Neither of those happened when I bought my phone. iOS took the right path with specifically calling it diagnostic mode, and having it disabled by default. Sprint tries to hide it from me. That's not right.

    as well diagnostics about the phone and any problem apps

    Again, they don't *need* the ability to do that. It would be *nice* if they had it, and frankly if they asked me I might allow them. But since they try to sneak it in the backdoor now I simply don't trust them and it's finally pushed me to the point where I'm ready to install Cyanogenmod and get rid of their software altogether. So now they get nothing.

    if you go for tech support it's not like the people magically know everything that is wrong with your phone.

    Yeah, you're right, even with all the data my phone has been sending them they still don't know what's wrong with it. So why should I send the data to them?

    if you complain of dropped calls its important to know where they are occuring

    A diagnostic application specifically for monitoring dropped calls is completely different than the software that is actually being used. Dropped calls are just one aspect that they try to highlight to claim that the software is benevolent, and then they deny the ability to log keystrokes even when proof is shown that they are.

    If the company is lying about what their capabilities are and what data they're collecting, then that's a major red flag. That's enough to get me to remove the software.

  • by unencode200x (914144) on Thursday December 01, 2011 @01:56PM (#38228432)
    Wouldn't this same logic apply to an ISP and your computer? Should they be able to install a key logger on your computer to "diagnose" connection issues? Isn't a smart phone a computer with a phone?
  • by shutdown -p now (807394) on Thursday December 01, 2011 @01:57PM (#38228452) Journal

    That's why everyone takes the carrier phone and contract; it's not because we're all stupid, it's because it's the most cost effective solution in a shitty market.

    It depends on what you want to do with the phone. If you e.g. use it for tethering, the cost of buying an unlocked international version for full price recoups itself pretty quickly.

    Also, it is possible to have 5-band 3G phones that work on both AT&T and T-Mo, so you can at least switch between those two. For example, Galaxy Nexus is 5-band HSPA 850/900/1700/1900/2100 - which covers both AT&T's 1900MHz, and T-Mo's 1700/2100 MHz.

  • by TheLink (130905) on Thursday December 01, 2011 @02:08PM (#38228686) Journal
    Car analogy: just because you buy a car on hire-purchase doesn't mean the bank gets to do whatever they want with the car. Even if you don't pay up, there are still certain limitations to what they can do to repossess the car.

    And even if you rent a car, the rental agency doesn't get to do whatever they like with the car once you've rented it out.

    IANAL but I suspect recording conversations in the car and recording videos of the interior would generally not be legal unless you get permission from the court.
  • by shutdown -p now (807394) on Thursday December 01, 2011 @02:43PM (#38229308) Journal

    The problem here is that HTC phone that was previously dissected also has a similar disclaimer, and a switch to disable logging... the problem is that CarrierIQ software actually does more than what that disclaimer described, and was not fully affected by any switches. In particular, it's a keylogger.

    Of course, it's a big question whether CarrierIQ in iOS is anything like the one in Android. But, at this point, the fact that the name is even present at all is a big red flag.

  • by Anonymous Coward on Thursday December 01, 2011 @03:37PM (#38230170)

    So just because carriers install it on their Android phones, we have to assume that Apple goes through the trouble of writing it into their OS (which they do), that they include a configuration screen for it (which they do), but somehow forgets to include the code that honors those settings? Why do we have to assume that for Apple devices? Apple devices are different because they don't appear to let the carriers install (and remove configuration options for) whatever crap they want to on Apple devices, whereas Google specifically does allow carriers to do this by the nature of developing Android as open source code.

    Your argument is the same as fundamentalists who believe in god and conspiracy theorists - that because you cannot disprove it that you have to believe it is true. It is just as fallacious when you say it as when others say it in a different context. You are not applying common sense to this situation; please stop.

  • by Anonymous Coward on Thursday December 01, 2011 @03:56PM (#38230454)

    If they include an option to turn it off, and the option is off by default, how is that "secretly" installing it on their phones? That's pretty blatant if you ask me.

How many QA engineers does it take to screw in a lightbulb? 3: 1 to screw it in and 2 to say "I told you so" when it doesn't work.

Working...