Carrier IQ Drama Continues

alphadogg writes "A Cornell University professor is calling the controversial Carrier IQ smartphone software revelations a privacy disaster. 'This is my worst nightmare,' says Stephen Wicker, a professor of electrical and computer engineering at Cornell. 'As a professor who studies electronic security, this is everything that I have been working against for the last 10 years. It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention.'" Read on for a grab-bag of other news about the ongoing story of Carrier IQ's spyware.

Federal intervention is already on the menu; new submitter mitcheli writes "Following the video from Trevor Eckhart on Youtube after the filing of the Cease and Desist letter and subsequent reply by the EFF and apology letter (as reported on Slashdot), Senator Franken of the Subcommittee on Privacy Technology and the Law asks some rather pointed questions."

Franken has more reason, apparently, to look into this than might legislators in other countries; an anonymous reader submits news that Cambridge researchers have found the software to be confined to (or at least only confirmed in) American customers' phones. From their report: "We performed an analysis on our dataset of 5572 Android smartphones that volunteers from all over the world helped us create. From those 5572 devices, only 21 were found to be running the software, all of them in the US and Puerto Rico. The affected carriers we observed were AT&T, Boost Mobile and Sprint.
We found no evidence of the Carrier IQ software running on Android devices in any other country."

Another anonymous reader suggests that "Apart from anything else, the fundamental mistake that Carrier IQ made was attempting to silence a developer using a heavy-handed legal threat. Certainly this was the tipping point in terms of bring the whole incident to the public's attention."

Like apparently begets like; reader adeelarshad82 writes "Not surprisingly, the Carrier IQ controversy has resulted in some legal action. Class-action lawsuits have been filed in California and Missouri that accuse Carrier IQ, as well as Samsung and HTC, of violating federal wiretap laws. The California case was filed on behalf of four smartphone users with HTC and Samsung devices and accuses the companies of violating the Federal Wiretap Act, which prohibits the unauthorized interception or illegal use of electronic communications, and California's Unfair Business Practice Act."

Finally, GMGruman writes with the cautionary note that Carrier IQ and Facebook pose "the least of your privacy threats": "[S]o far these forms of monitoring anonymize the data, so an individual's actual privacy is not invaded. And while people fret over these potential invasions, a more pernicious privacy invasion is under way, one that monitors actual individuals and then uses that information to try to direct their behavior. For example, car insurers give monitoring boxes to customers to track their driving behavior and offer a discount if it is 'good.' Of course, the flip side is higher rates or no coverage if the black box decides you are "bad." And, as this blog post points out, this is just one of many such 'Big Brother corporation' efforts out there that give significant power to insurers and others who have a history of abusing personal information, such as for redlining and coverage denial."

Re:Analytics for Mobiles

[InsightIn140Bytes]

That might be so, but it doesn't change the fact that it's only Android devices where it's enabled by default.

Re:Analytics for Mobiles

[Lisias]

Isn't it interesting that the only OS that sent the info out by default was Android? iPhone didn't. While they were there too, Carrier IQ was disabled by default.

So interesting as the fact that only Noth America seems to have Carrier IQ on their Android devices...

And after all, Carrier IQ was just Google Analytics to mobiles. [...]

Google Analytics ANALyses every keystroke on your computer? Because Carrier IQ receives every dialer keystroke on the device. [xda-developers.com]

(I'm not saving Google's face here)

Wrong

[SuperKendall]

Wrong. Apple install it by default and even obfuscate the files.

Wrong yourself, or at least misleading - The carrier IQ that Apple ships with does not record anything at all by default, and even if you could figure out how to enable it records only a tiny bit of data, no keystrokes or SMS for example...

Nor do they obfuscate anything (unless you call shipping with it off a form of obfuscation).

Universal Wind.

[Ostracus]

Skeptics find flaws in Carrier IQ application analysis [networkworld.com]

As I posted in another forum, the court of public opinion isn't in complete agreement.

Re:Analytics for Mobiles

[madmark1]

As a 'Linux fan', you should know that not everything provided in your install was provided by the manufacturer, or was part of 'Linux'. Neither is CarrierIQ in any way part of Android. It is a separate piece of software, installed on some Android based phones by the carrier. It does not send data to Google, and there is even some debate on whether it sends anything, or merely logs it. Google is not benefitting from this data, nor can they sell it to others, since it isn't data they collected, or even knew about. It also, I might add, is installed on every iPhone from AT&T. It is likely still logging, but only sends the data back to CIQ if you allow it (which on older iPhones, is when you activate it. there seems to be no way to turn it off after that).

Re:Analytics for Mobiles

[Ostracus]

How Carrier IQ was wrongly accused of keylogging [cnet.com]

Re:questions

[sphealey]

And I think the answer to that will be, it was the carriers that decided what functions to enable. And the carriers were exempted from all electronic spying restrictions by the FISA extension of 2008 (aka absolve AT&T bill).

sPh

Re:Analytics for Mobiles

[b4dc0d3r]

Your quote says "receives" but your link says "logs". We still don't know what happens to those logs. There may be no privacy problem here other than potential availability to malware.

Yes, that is important, and yes the logs should be stopped. But you are asserting something we don't know is true.

Re:T-Mobile?

[517714]

Nope! [pcmag.com] "T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers' experience. T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers' Internet activity, nor is the tool used for marketing purposes."

Verizon, C Spire, MetroPCS, and US Cellular are the only US carriers currently denying Carrier IQ is used on their systems.

Re:Where are skilled slashdotters?

[Ostracus]

To test, I think you'd have to set up your own cell, as this doesn't use the wifi network. People with their own personal cell tower to test with probably work for or with the carriers, and so are under NDA WRT the whole thing.

Such a thing is called a microcell and can be purchased by the public.

You can put anything on iPhone without a jailbreak

[tlambert]

You can put anything on iPhone without a jailbreak

You just have to pay for a developer's license and enroll your phone.

What you don't get is the ability to to put any software you want on other people's phones by letting them download your application from your web site, you have to go through iTunes for that, and doing that requires Apple to approve your application. But when we get to that point, we've stopped talking about developer freedom and started talking about entrepreneurial freedom, which is something completely different.

PS: iPhones don't come with carrier crap installed; that's one of the reasons Apple didn't initially partner with Verizon; the other two reasons were the Qualcomm patent tax on CDMA hardware, and Verizon not wanting to set up a Visual Voice Mail service that met Apple's requirements.

PPS: All of the projects for running Linux on phones are only going to get somewhere if they break signature verification in the boot loaders, and the baseband software runs on a separate chip, rather than on the same chip as applications. That lets out a lot of smartphones (e.g. anything running a Qualcomm Snapdragon CPU). If they try to go ahead on those phones anyway, men in suits will show up citing the Code of Federal Regulations, 47, Section 2.944 covering Software Defined Radio.

-- Terry

Re:Analytics for Mobiles

[thisnamestoolong]

What you type into the URL bar is not public -- but where you go when you hit enter is. It has to be. That is the way the web works. When you travel around you are broadcasting your IP as you connect to different servers around the globe. The servers that you connect to are under no obligation to hide the fact that you have been in there. Think of the Internet as a big city (a city where you really, really want to stay away from the red-light district); as you walk around you are essentially anonymous due to the mass of people, but in reality everything you are doing is in the open. If you walk into a store and buy something, the store is not violating your privacy by acknowledging that you were there. If this were not the case, society wouldn't work. The Internet is the same thing; it is essentially anonymous due to the overwhelming amount of traffic, but at the end of the day, everything you are doing is public.

Encrypted data, however, is a different thing entirely. Encrypted data is more akin to carrying a letter around this city in a sealed envelope. There IS an expectation of privacy as to the contents of that letter; you put it in an envelope so that the guy sitting next to you on the train can't read it. Now, I know that Google does analyze the content of encrypted emails, but you are using their service, so this should again be expected. If I were to write something on paper while sitting in a Google office, I would have a very different expectation of privacy; it should be expected that they are able to monitor what happens on their own service (or building, in this analogy).

CIQ, however, effectively breaks all of our expectations of privacy. In this analogy, even if you locked yourself in your bedroom, made sure nobody was around, wrote the letter, and then sealed it in a light-proof envelope, CIQ would still know what you wrote on that letter. They would know because THEY WATCHED YOU WRITING IT. While you were writing that letter and taking all the proper measures to keep it private, they had a camera over your shoulder watching as your pen scribbled across the page. It was never disclosed to you that this camera was here. Now, they are defending themselves by saying that we cannot prove that the camera was actually transmitting the data back home, but we know for a fact that it was there and it was recording data. This is why a keylogger is a whole new level of privacy violation; it violates the sanctity of the physical device you are working on. This is what makes it orders of magnitude worse than anything in Marc Zuckerberg's wildest dreams. This is also why keyloggers are almost universally criminal. To compare it to Google Analytics belies a fundamental misunderstanding of the tech at hand. There is a relevant exchange in Pulp Fiction:

Vincent: I didn't say it's the same thing, I said it's the same ballpark.
Jules; Ain't no fuckin' ballpark neither! It ain't the same fuckin' league, it ain't even the same fuckin' sport!

While these characters were talking about something different, the same principle applies. Not only are Google Analytics not the same ball park, they ain't even the same fuckin' sport. The difference in magnitude is astonishing, and making such ill-fitting comparisons only diminishes the affront to decency that this software poses.