Carrier IQ Drama Continues 244
alphadogg writes "A Cornell University professor is calling the controversial Carrier IQ smartphone software revelations a privacy disaster. 'This is my worst nightmare,' says Stephen Wicker, a professor of electrical and computer engineering at Cornell. 'As a professor who studies electronic security, this is everything that I have been working against for the last 10 years. It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention.'" Read on for a grab-bag of other news about the ongoing story of Carrier IQ's spyware.
Federal intervention is already on the menu; new submitter mitcheli writes "Following the video from Trevor Eckhart on Youtube after the filing of the Cease and Desist letter and subsequent reply by the EFF and apology letter (as reported on Slashdot), Senator Franken of the Subcommittee on Privacy Technology and the Law asks some rather pointed questions." Franken has more reason, apparently, to look into this than might legislators in other countries; an anonymous reader submits news that Cambridge researchers have found the software to be confined to (or at least only confirmed in) American customers' phones. From their report: "We performed an analysis on our dataset of 5572 Android smartphones that volunteers from all over the world helped us create. From those 5572 devices, only 21 were found to be running the software, all of them in the US and Puerto Rico. The affected carriers we observed were AT&T, Boost Mobile and Sprint.
We found no evidence of the Carrier IQ software running on Android devices in any other country."
Another anonymous reader suggests that "Apart from anything else, the fundamental mistake that Carrier IQ made was attempting to silence a developer using a heavy-handed legal threat. Certainly this was the tipping point in terms of bring the whole incident to the public's attention."
Like apparently begets like; reader adeelarshad82 writes "Not surprisingly, the Carrier IQ controversy has resulted in some legal action. Class-action lawsuits have been filed in California and Missouri that accuse Carrier IQ, as well as Samsung and HTC, of violating federal wiretap laws. The California case was filed on behalf of four smartphone users with HTC and Samsung devices and accuses the companies of violating the Federal Wiretap Act, which prohibits the unauthorized interception or illegal use of electronic communications, and California's Unfair Business Practice Act."
Finally, GMGruman writes with the cautionary note that Carrier IQ and Facebook pose "the least of your privacy threats": "[S]o far these forms of monitoring anonymize the data, so an individual's actual privacy is not invaded. And while people fret over these potential invasions, a more pernicious privacy invasion is under way, one that monitors actual individuals and then uses that information to try to direct their behavior. For example, car insurers give monitoring boxes to customers to track their driving behavior and offer a discount if it is 'good.' Of course, the flip side is higher rates or no coverage if the black box decides you are "bad." And, as this blog post points out, this is just one of many such 'Big Brother corporation' efforts out there that give significant power to insurers and others who have a history of abusing personal information, such as for redlining and coverage denial."
Re:Analytics for Mobiles (Score:5, Insightful)
Re:Analytics for Mobiles (Score:5, Insightful)
Nice troll, but the vanilla Android devices (Nexus line) don't ship with the CarrierIQ software, which means that either the handset manufacturers or, much more likely given the US-centric focus, the carriers are responsible for installing it.
Re:Analytics for Mobiles (Score:0, Insightful)
Wrong. Apple install it by default and even obfuscate the files. It doesn't exist in Android, only the US carriers are installing it. Typical myopic Apple zealot, aren't you.
even if it does NOTHING... (Score:5, Insightful)
the problem is transparency.
If not Carrier IQ what next? What information are they gathering? What's the performance cost with this thing running in the background?
Somewhere in the back of my head Richard M. Stallman is laughing(and eating foot fungus).
Re:Analytics for Mobiles (Score:2, Insightful)
Isn't it interesting that the only OS that has Carrier IQ on every single device, supplied by the OS developer, is iOS?
See, it works both ways. Now how about we stop turning this into a retarded smartphone manufacturer fanboy flamewar and throw stones at Carrier IQ and the carriers that support them, which is where they belong?
Re:Analytics for Mobiles (Score:3, Insightful)
As a Linux fan through and through for fourteen years and counting I am endlessly surprised at the android circle jerk. Linux's customers are smart people who choose to use Linux, and linux distro providers work to supply them with what they want. Apple's customers are (probably also) smart people who don't want to care how a computer works (for good or bad) or customers with money to burn. Still, apple work to give them what they want . Microsoft's customers are people who want to get a job done with standards (even if they're bad), and MS will work to give them what they want (even if I disagree with the quality of what they provide)
But google's customers are advertisers. We, the users, are the product not the clientele, and issues like this with android WILL NOT END until google fundamentally changes its business model.
Google has and always will work to give their advertisers and marketers what they want first. The users and our privacy are a secondary priority
Re:Analytics for Mobiles (Score:5, Insightful)
Re:Analytics for Mobiles (Score:5, Insightful)
the vanilla Android devices (Nexus line) don't ship with the CarrierIQ software, which means that either the handset manufacturers or, much more likely given the US-centric focus, the carriers are responsible for installing it.
...Which is a very good point. Google gives not only end users but also manufacturers and carriers relatively free reign over Android phones. Apple retains much more control over the iPhone.
While it's easy to see how Apple's strategy can hurt power users, Google's strategy can hurt users also.
Re:Analytics for Mobiles (Score:5, Insightful)
That might be so, but it doesn't change the fact that it's only Android devices where it's enabled by default.
That's probably because the carriers are not able to enable it in iOS. So Apple - the only manufacturer of iOS devices - doesn't want it enabled in their phone, and the carriers are not able to do this. Android is more open, so either the phone manufacturers like Samsung and HTC can install it, or the carriers. So it's true, but it's only true because of the open nature of Android.
Re:Should have got a blackberry... (Score:4, Insightful)
Yes, because Blackberry has never handed over the keys to BBM when a nation-state has demanded them...
Re:questions (Score:4, Insightful)
I have a question for the senator:
Does the Computer Fraud and Abuse Act comply with the Constitution?
Re:Wait (Score:5, Insightful)
The carriers, while they almost certainly are up to their eyeballs in slime, have zillion-page 'contracts' with the people they are screwing, massive lobbying expertise, and quite possibly de facto or even de jure legal impunity when it comes to a little of the old wiretapping(just look at the, er, unimpressive consequences when their collaboration with the NSA was revealed...) CIQ, by contrast, is just a little coder shop somewhere, 6 years of history, not even the flimsiest of contracts with any phone users, and no obvious friends. Everybody who isn't their customers certainly has no reason not to want them gone, and even their customers would almost certainly rather switch spyware vendors(they've got plenty of options) than endure the PR hit of defending their present vendor...
Much as I'd love to watch CIQ's operations burned down with those responsible locked inside, I suspect that the focus on CIQ will drown out the (far more dire) fact that contemporary communications technology is running headlong into the dystopian future, and the world is crawling with upmarket spyware vendors who provide very similar products and services worldwide. CIQ was unlucky enough to land in hot water
Just a little while back, Etisalat was trojaning its blackberry customers [blackberry.com] with (poorly made) spyware from the wonderful people at SS8 [ss8.com]. Guess who suffered no consequences whatsoever and is still merrily peddling "Lawful intercept solutions"?
Re:Laws needed to ensure opt-out (Score:4, Insightful)
We do not need Opt-Out, we need Opt-In.
Such features, options, possibilities etc should be OPT-IN. If someone has problems with their carrier network. Then they can turn diagnostic tool ON and report it.
Re:Analytics for Mobiles (Score:2, Insightful)
Freedom can hurt people, yes. Freedom also lets you install vanilla android (or a community flavor, or whatever). The only problem with that might be some kind of warranty violation--but again, that is an evil of the manufacturer or carrier. Not Google.
AT&T can still violate the privacy of your iPhone. So can Apple. Google _cannot_ because (theoretically) you could check for and remove such violations. Is that done? Well, maybe or maybe not. But that's still better than Apple where it's impossible.
How unexpected is this, really? (Score:5, Insightful)
Ultimately, any carrier that doesn't already have this kind of detailed information on every one of their customers is at the least irresponsible and more likely idiotic - and even more likely soon out of business. Even for the "unlimited" plans out there, it is still worthwhile for the companies to watch what is going on in order to properly position themselves for future changes in consumer and business phone use.
Software freedom is the solution. (Score:5, Insightful)
As I'm sure you know: Without complete corresponding source code to all of the software running on a phone, you'll never know the answer to those questions.
RMS knew the solution to this problem before the problem became widespread (as he often does) and he got the solution right early on: this is a social problem, not a technological problem. The solution is software freedom for all computer users for all the software they run.
Sadly, the Carrier IQ debacle is unlikely to propel people to see this solution. The problem is too weak in its urgency because Carrier IQ's (or any other workalike) privacy violations are merely annoying or scary. Privacy violations usually don't kill or maim anyone. Also, the affected audience has low market value: the general public. When proprietary software used in internal medical devices fails and kills someone, there will be another opportunity to talk of software freedom as a social solution to be taken seriously. And, for a time, people will be more receptive to the idea that all computer users deserve software freedom. People seem to have no problem hiring professionals in other fields they don't understand (plumbers, doctors, lawyers, mechanics, builders) so it's not far-fetched to expect the public to hire computer programmers to inspect and modify programs on their behalf.
Re:How unexpected is this, really? (Score:5, Insightful)
While this is true, the part I find most disturbing about CarrierIQ is its capture of HTTPS request details and traffic over Wifi, neither of which would be available to the carrier otherwise. Yes, meta data related to calls are logged... carriers are in fact required to do so for a number of reasons (billing, mediation, audits, and servicing subpoenas, etc.) However, I do not subscribe to a data plan and any traffic I send over a Wifi connection should be between me, the Wifi router, and the remote machines I am connected to, particularly when using "secure" protocols like HTTPS.
Re:Analytics for Mobiles (Score:5, Insightful)
You've got it mixed up. The "transparency" is for the corporations and government who exist because we as a society allow them to. Corporations exist because governments allow them to exist and governments exist because we allow them to.
People get privacy. Every level of organization above the family gets transparency. Let me say it again: Privacy is for human beings. Transparency is for organizational entities that are not human.
If you breathe, you get privacy. If you exist because of a piece of paper, such as a corporation or government, you get transparency. That's the way it's supposed to work. When we start to assign metaphysical meaning to these paper entities, via fallacies such as patriotism and the "free market" then we get into all sorts of trouble. We think we can't expect transparency from our government because "we're patriotic and our government can do no wrong". We say we can't expect transparency from corporations because "corporations are persons and they have the rights of persons". We can see how quickly such notions can totally fuck things up.
We have heard a lot from the tea party saying "government needs to fear the people" and just because it's nothing more than a slogan to them doesn't mean they're not right. Just the same, corporations need to fear the people, maybe even more than governments because of the special benefits they have been given by society. I say, it's best to make sure we understand that both governments and corporations only exist to the extent that we allow and we have every right to demand transparency from both. Of course, people who would misuse the special benefits we have given them hate the notion of transparency and hate the notion that governments and corporations are ultimately answerable to the people (and not just people as consumers, by the way). That's why you're seeing the wildly over-the-top response to the anti-corporate message of Occupy Wall Street. Because if people figure out that we don't have to allow corporations to fuck with our lives then all hell could break lose and some very wealthy and powerful people might be made very uncomfortable.
I don't know where you got the idea that transparency requires less privacy for people, but it's a very dangerous and very wrong notion. You really need to re-think this.
Re:Software freedom is the solution. (Score:5, Insightful)
So it really boils down to trust -- at some point you have to either trust your cell phone provider not to screw you, or stop using a cell phone
I don't see it that way. I have complete faith that my mobile provider will try to screw me, just like my ISP. A phone is just like any other equipment you connect to the Internet - you just consider networks that you do not control as hostile and go from there.
Why blame Carrier IQ? (Score:3, Insightful)
IMO people who demonize CIQ are missing the target. You should demonize the companies who employed CIQ technology to spy on their customers.
The only thing CIQ is guilty of is being a for-profit company in a capitalist society. Where there is demand (AT&T, HTC, Samsung, Motorola) there will be supply (CIQ). Just like the spam issue.
If you don't existinguish the demand by penalizing CIQ's customers, perhaps through legislature, CIQ 2.0 will be incorporated in no time and you better believe the next root kit will be a lot harder to detect.
AB
Re:Analytics for Mobiles (Score:3, Insightful)
Secondly, somebody actually disassembled the damn thing:
> Rosenberg told CNET. His reverse-engineering showed that "there is no code in Carrier IQ that actually records keystrokes for data collection purposes."
I am not defending anyone. CIQ still records and transmits other data, but for fucks sake, get your facts straight!
Some guy showing debugging messages does not prove anything.
Re:You can put anything on iPhone without a jailbr (Score:4, Insightful)
A good chunk of developer freedom is tied up in distribution.
If you're allowed to develop, but not distribute, then your freedom as a developer has been compromised. Consider the various free applications available from the Cedega app installer - there's no entrepreneurial angle there.
There would be nothing from stopping you distributing your code for an iOS app. In order for your "users" to install it though, they would need to pay the $99 fee for a developer license or be jailbroken. Your right as a developer to distribute software is still there, not very conveniently though but there none the less.
Not really, at least not in any meaningful sense. Just like how copyright law allows you to make duplicates of copyrighted material for personal use ... but denies you the right to acquire the tools needed to do that in most cases. A right that you have but do not have the power to exercise is not a right but is, in the end, a privilege. On that may be revoked at any time.