Researchers Say Carrier IQ Isn't Logging Data, Texts 130
Trailrunner7 writes "Security researchers who have investigated the inner workings of the Carrier IQ software and its capabilities say the application has some powerful, and potentially worrisome capabilities, but as it's currently deployed by carriers it doesn't have the ability to record SMS messages, phone calls or keystrokes. However, the researchers note there is still potential for abuse of the information that's being gathered, whether by the carriers themselves or third parties who can access the data legitimately or through a compromise of a device. Jon Oberheide, a security researcher who has done a lot of work on Android devices, also analyzed several versions of the Carrier IQ software and found the software has the ability to record some information, but that doesn't mean it's actually doing so. That part is up to each individual carrier. However, he says the ability to collect such data is a dangerous thing. 'There is a lot of capability to collect sensitive data, which is dangerous in any scenario,' Oberheide said in an interview. 'It's up to the carriers to use the software as they choose, but you could sort of put some blame on Carrier IQ. But they put it on the carriers.'"
For those who don't want to trust in the good will of Carrier IQ or carriers themselves, here are a couple ways to get it off your phone.
On trusting shit. (Score:5, Insightful)
If I use any modern mobile 'phone then I assume anything I put on it and where it is can be read by the OS vendor and the carrier. The environment is too tightly controlled and lacking in openness for me to be able to come close to verifying otherwise. We can assume that the facility is only used on rare occasions because one significant revelation of data transmission will put people off buying the product, IOW the only thing keeping anyone safe is the "you're not important enough to matter" card.
But if you're doing anything remotely interesting, whether that's in industry or activism, you'd be a fucking idiot to use the routine features of a smartphone.
Re:Old news (Score:5, Insightful)
Indeed, and carriers of course could already view and record text messages. They don't need an app for that.
I don't care if it is harmless (Score:5, Insightful)
If CarrierIQ is making money from studying my behaviors, then I want a cut or I want to uninstall their craptastic software. I should not be forced to consume software I do not want. If Android wants analytics, then build it into Android OS. My relationship is with my phone manufacturer and the OS manufacturer. I should be able to decide what other relationships I want. CarrierIQ can contact me if they think their software somehow adds value to my experience. Otherwise, do more testing.
seriously (Score:4, Insightful)
Re:Old news - maybe not (Score:5, Insightful)
This was known days ago. Of course that fucks up your nice little conspiracy theory, so it wasn't posted.
Carrier IQ has admitted that it records URLs of every web site you visit on your mobile device, and sends it to the carrier.
So there is another subpoena target for the authorities. Even your ISP doesn't necessarily get that information. Why should your carrier?
Re:Don't confuse the masses with legalese please (Score:2, Insightful)
Why does someone "have to go to jail"? Will it fix something? Or is will tickle your sadistic fetish?
We don't live in times when lynching the first black guy who crosses the path of lynch mob was the right way to get justice for rape done by your neighbor, and that's exactly what you're asking for here.
People signed the contract that allowed them to do this. There are no laws that were broken. You and your neighbors elected people who decided that there was nothing illegal about this, as long as they were using it properly, to monitor the status of your phone in relation to their network. So far there has been no evidence of this being untrue. Just because the program gives them the ability to do much more then that doesn't mean it was USED to do much more. This is the argument used to allow us to do things from driving cars to owning guns for fuck's sake. Why does it suddenly become invalid here?
Therefore if someone should "go to jail", perhaps a long look into the mirror is in order?
Re:I don't care if it is harmless (Score:5, Insightful)
No one forced your provider ti install CarrierIQ
And you have not a single shred of leverage to get the carrier to remove it.
Unless and until the hue and cry becomes so loud and congress takes an interest, they will all continue to foist
this stuff on the user, so your threat to take your business elsewhere means nothing.
If you don't object this camel's nose, you'll have the neck and forelegs soon.
CarrierIQ makes its living selling burglar tools. They can't survive without your acquiescence. Your carriers won't help you.
Go Senator Franken!
Re:Pet Peeve: SEO and URLs. (Score:4, Insightful)
The descriptive URLs are also more useful for situations where you might be seeing the URL on its own, such as in a message from a friend. A message saying "go check out story 2225202 on Slashdot" is unlikely to get someone's attention, but an address mentioning a specific issue might. In a link to an article on an unknown blog, descriptive words can inspire enough confidence to view the article, rather than lead to the expectation that the mess of numbers to be an obfuscation hiding our dear friend Goatse.
The trend may indeed have its roots in SEO, but I, for one, like it.
Re:Old news (Score:5, Insightful)
Nature of the install (Score:5, Insightful)
As usual, the crux of the matter has to do with TRANSPARENCY and CONSUMER CONSENT. The question of whether or not CarrierIQ is actually capturing user behavior through the software is important, but actually secondary to the fact that the carriers themselves do not TELL the consumer that (1) we've installed this logging software on your device; (2) it is not possible through normal means to deactivate it; (3) this software runs without any disclosure or agreement in your contract; (4) this software runs on your device even if you are no longer under contract or even subscribed as our customer; and (5) this software is not an integrated component of the device's operating system.
And why don't they tell you these things? Because they can get away with it. The fact that this software is so hidden from the user, and is NEVER mentioned in any of the legal documentation you are asked to sign, is all the reason why the consumer cannot and should not be expected to simply take either the mobile network operator or CarrierIQ at their word when they say they're not tracking personally identifiable information. Yes, researchers have chimed in with their findings. But such broad, unregulated, and pervasive tools as CarrierIQ have enormous potential for abuse, and it is simply unacceptable to allow these companies to just chalk it up to "sorry we kept this a secret from you, but TRUST US, it's all perfectly innocent." Yeah, bullshit. If it were truly so innocuous, why did you go through such lengths to hide it and make it difficult to disable or remove?
This isn't a rebuttal (Score:4, Insightful)
Original video [youtube.com] that demonstrated CarrierIQ logging keystrokes. I.e. not a theoretic capability, nor a risk, but actual entries into the system log. This was performed on an stock HTC Evo 3D.
This article is asserting that CarrierIQ does not contain the necessary hooks for keystroke logging on the Samsung Epic 4G Touch.
IOW, the two articles are not making the same claim. It is already known that different phones have different versions of CarrierIQ. This article isn't claiming that no phone has the capability to log keystrokes, merely that the Epic does not. The original article wasn't claiming that all phones are logging keystrokes, merely that the Evo is. Methinks someone is trying to manipulate public opinion, as the original video is surprisingly difficult to find, and this article's claims were immediately exaggerated and that version of the story was popularized.