CarrierIQ: Most Phones Ship With "Rootkit" 447
First time accepted submitter Kompressor writes "According to a developer on the XDA forums, TrevE, many Android, Nokia, and BlackBerry smartphones have software called Carrier IQ that allows your carrier full access into your handset, including keylogging, which apps have been run, URLs that have been loaded in the browser, etc."
Since this was submitted, a few more details have come to light. The software was designed to give carriers useful feedback on aggregate usage patterns, but the software runs as root and the privacy implications are pretty severe.
Re:So (Score:5, Informative)
Re:Really? (Score:5, Informative)
" By entering this Agreement, you consent to our data collection, use and sharing practices described in our Privacy Policy available at verizon.com/privacy." -- from Verizon Customer Agreement
That's why.
Samsung Vibrant (Score:5, Informative)
Re:Cyanogen (Score:5, Informative)
Re:but but but... Apple (Score:4, Informative)
And you're sure of this why?
And from geek.com (http://www.geek.com/articles/mobile/how-much-of-your-phone-is-yours-20111115/):
This may just be a terribly worded sentence and CarrierIQ isn't on the iPhone (and I can't find any other cites), but even if this specific software isn't there, that doesn't mean other software that does the same thing under the excuse of "improving the network" isn't. Further, "Apple doesn't engage in abuse <x>" is a bullshit excuse for other problems.
Re:but but but... Apple (Score:5, Informative)
You don't even need to go as far as the EULA -- iOS 5 actually asks you during setup if you want to allow usage data to be sent.
http://www.thewwwblog.com/wp-content/uploads/2011/10/ipad-ios-5-diagnostics-7.jpg [thewwwblog.com]
(From http://www.thewwwblog.com/apple-ios-5-setup-steps-apple-ipad.html [thewwwblog.com] )
Re:but but but... Apple (Score:5, Informative)
Re:but but but... Apple (Score:3, Informative)
The iPhone isn't even mentioned (like not at all) in any of the linked articles, so I don't know where you're imagining you read this.
Also, the word you're looking for is spelled "speech".
RMS was right (Score:5, Informative)
Stallman [slashdot.org] doesn't sound so crazy now...
Re:but but but... Apple (Score:4, Informative)
CarrierIQ is confirmed to be found on the iPhone
Not directly in the article but in the links within the article.
Here's the direct link: http://www.geek.com/articles/mobile/how-much-of-your-phone-is-yours-20111115/ [geek.com]
Re:Doesn't Matter (Score:5, Informative)
What Marcos said. Android is not "open source". It's "kinda sorta open to downstream proprietors, but not to end users", which is not open source at all.
Well, it's not "free" according to GPLv3 (android devices can be Tivo'ised preventing you from running modified code), but anyone can download the android source and modify and rebuild it. If your device supports it (many do), you can run your modified code on your device. I'm not sure how you can say Android isn't open source, as that's pretty much the definition of open-source.
Now you could argue that it's not "free" as defined by RMS and the FSF, and you'd have a decent argument. But claiming it's not open source is just incorrect.
Re:2 Questions (Score:5, Informative)
1. Ask around basically.
2. a guy on xdadevs whomped up an app to detect (requires root) and remove (requires root and 99 cent donation) CIQ, among other things. http://forum.xda-developers.com/showpost.php?p=17612559&postcount=109 [xda-developers.com]
Re:A troll, by any other name would smell as awful (Score:4, Informative)
Re:RMS was right (Score:2, Informative)
Being right and being crazy aren't mutually exclusive.
Re:but but but... Apple (Score:4, Informative)
iOS is mostly closed and analysis tools can't be installed without jailbreaking, how do we know what's going on in there?
Uhm ... Its been jailbroken so we can just look, just like you would on a rooted android device?
Besides, does nobody remember the iPhone location privacy fiasco?
No, cause there wasn't one. It wasn't anything even slightly malicious. The only person with direct access to it was the phone owner and the person with unencrypted backups of the phone, which was also likely the owner. I'm pretty sure the owner knew where the phone was anyway, which makes the whole thing a nonpoint.
It's just idiots like you who keep pretending it was some big deal because your to ignorant to realize it wasn't a threat.
Re:but but but... Apple (Score:5, Informative)
You mean the smartphone location fiasco where it was discovered that *gasp* AGPS caches data on phones, including Android, Blackberry, iPhone and WebOS? Yep. Typical internet echo chamber amplification that turned it into an attack point for fanboys who didn't actually do any research.
Apple did have one legitimate bug in the situation. The cache was in a folder marked for backup to computers, due to it living in the same location as the settings file to toggle what apps can use location data. This was fixed, and the cache was reduced. I personally preferred the old cache time, since it meant my phone found my location when I wanted it to quicker. But they bowed to the pressure from the echo chamber anyhow.
Re:Doesn't Matter (Score:2, Informative)
Now you could argue that it's not "free" as defined by RMS and the FSF, and you'd have a decent argument. But claiming it's not open source is just incorrect.
Actually, you wouldn't have a decent argument. "Free software" and "open source", as defined by the FSF and OSG respectively, are as near semantically equivalent as you can get, including a whole slew of permissive licenses like Apache. The term Stallman uses for GPL (and similarly restrictive licenses) is "copyleft", which is either a horrible pun or a misunderstanding of what "copy" in copyright means (it's a noun, as in "copywriter", referrring to the work, not a verb meaning to duplicate)
And of course Android is not copyleft, and nobody would argue it is. Then again, neither is netBSD, and I somehow do fine with that on my home desktop with no worries of rootkits. Conversely, even copyleft doesn't prevent tivoisation per se, which is why GPLv2 is still considered a copyleft license.
The big problem is tivoisation, implemented as locked-down bootloaders in many phones, preventing you from compiling and installing your own non-rootkitted software. If the only thing stopping the vendor from rootkitting you is the trust that they will really comply with the GPL and release full source (including the big-brother patches, which may well be "protected" as state secrets, if they're sharing collected info with the right people), you should assume you're rootkitted already. A secondary problem is the proprietary platform-specific drivers and codecs, making it difficult to get full functionality of the hardware with your own non-rootkitted software (and copyleft does help alleviate this, by making it more effort to separate binary blobs far enough to comply), but between reverse-engineering and dropping these blobs wholesale into your new system (on the theory that, say, an h.264 DSP codec is unlikely to be a spy platform), this is less of an issue than the locked-down bootloaders.
Re:Doesn't Matter (Score:4, Informative)
Re:Doesn't Matter (Score:4, Informative)
Why should I drop it?
because it's not a valid grievance. google didn't sign some binding agreement with the users of the world to make all android open source, all the time, immediately. compared to apple or msft they are freaking saints (w/ regard to OSS), but it's never good enough huh? can't you be just as little positive about the fact that a company is pouring millions of dollars of resources into a platform and then just giving it away? of course not, because they aren't going about it on your time table.
OSS is *expensive* for a company. it's not just throwing it over the fence. they have to manage the community, manage contributions, keep the code clean and clear and keep everything perfectly documented for moron consumption. it's much, much more expensive for a company to open source their code than to just keep it internal.
there are good reason why they didn't release 3.0. for one, there were in the middle of restructuring the source code merging the 2.x and 3.x branches. releasing the code in this state would have been confusing to users, but mainly, cause them more work and resources in the long run. that's their prerogative- they are a public company that reserves the right to make make financial decisions.
Re:Doesn't Matter (Score:4, Informative)
It's not in my phone. (Score:4, Informative)