"Responding to a Freedom of Information Act request filed by Muckrock, the FBI said that it held relevant records but that their release could interfere with pending or prospective law enforcement proceedings.
The request asked for "manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ."
Muckrock's Michael Morisy says he plans to appeal the FBI's decision" by Dec 13
"Dan Rosenberg, a senior consultant at Vital Security Research, told the Los Angeles Times that he had reverse-engineered the software and found that it didn’t record keystrokes, but used “keystroke events” as part of the application."
"What that means: Carrier IQ’s software can confirm when a button was pressed, but that doesn’t mean it’s sending a log of those button presses back to the company’s servers.
Now Carrier IQ explicitly states that this doesn’t happen: “Our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video,” the company’s statement reads." by Dec 3
"Still, Carrier IQ isn't completely off the hook.
As part of its internal investigation, the company discovered that it had been accidentally sending users' text messages to carriers.
The problem was the result of a bug, which Carrier IQ says it has told the carriers how to fix. The texts were also encoded, so they weren't "human readable," the company claims." by Dec 17
"That debugger is supposed to be turned off unless a developer turns it on. It's also highly unusual -- and potentially insecure -- for an application to store so much data to the debug logger. A stolen phone that hasn't been turned off could be a gold mine for hackers, who would have access to literally everything a user has done or said on the device since it was last powered down.
Though Carrier IQ is installed on more than 150 million phones worldwide, the debug logging problem appears to only exist on HTC and Samsung smartphones. Those two manufacturers add a layer of their own software on top of the stock Google Android operating system, according to Dan Rosenberg, a consultant at Virtual Security Research who has extensively studied Carrier IQ's software." by Dec 17
"This week, Carrier IQ concluded an internal investigation and released a report on its findings. The company's analysis confirmed that its software does not, by itself, record users' keystrokes. Instead, the report affirmed the Carrier IQ's prior suspicions that the recording is being triggered on the handset manufacturers' end.
Carrier IQ's report said that what the Eckhart video displays is actually the result of separate tools put in place by the handset manufacturer.
The data recording was being done in what's known as a debug log. The log is intended to help software developers understand what happened if something goes wrong with an application. It stashes information in the phone's memory, which it remains stored until the device is powered down." by Dec 17
"Senator Al Franken, who sent a letter to Carrier IQ this week about the company’s business practices, is asking the right question here: “Does [Carrier IQ] subsequently share [data it collects] with third parties? With whom does it share this data? What data is shared?” If Carrier IQ is sharing the data with anyone but the carrier that hired it, that’s a problem. If not, as the company claims, then it’s just a subcontractor doing work on behalf of a carrier that already has access to the same information anyway." by Dec 3
But when Sen. Al Franken, the Minnesota Democrat, wrote a letter yesterday asking what data are collected, he didn't address it to Sprint and AT&T, who combined have probably the most influential lobbying operation in the nation's capital. In his own letter today, Rep. Ed Markey, the Massachusetts Democrat, didn't either. by Dec 3
"The data is not controlled by us, regardless of which model is used," Coward says. "We have no rights to the data. We cannot sell it, lease it, rent it, share it. The operators are extremely strict about that, as you might expect." by Dec 3
Coward acknowledged that the company's software, which is designed to be installed by carriers, can report back what applications are being used and what URLs are visited. Carrier IQ doesn't make these decisions; rather, they sell configurable software and the carriers decide what options to enable. by Dec 3
Carrier IQ has given Rebecca Bace, a well-known security expert who's advised startups including Tripwire and Qualys, access to the company's engineers and internal documents. (Bace says she has no financial relationship with Carrier IQ.)
Bace told CNET that: "I'm comfortable that the designers and implementers expended a great deal of discipline in focusing on the espoused goals of the software--to serve as a diagnostic aid for assuring quality of service and experience for mobile carriers." by Dec 3
Dan Rosenberg, an exceptionally talented security consultant who has discovered more than 100 vulnerabilities in the Linux kernel, FreeBSD, and GNU utilities, extracted a copy of Carrier IQ's software from his own Android phones. He then analyzed the assembly language code with a debugger that allowed him to look under the hood.
"The application does not record and transmit keystroke data back to carriers," Rosenberg told CNET. His reverse-engineering showed that "there is no code in Carrier IQ that actually records keystrokes for data collection purposes." by Dec 3
Carrier IQ vice president of marketing, Andrew Coward, explained their product’s functionality, giving extensive interviews to CNET and the Verge, among other online media outlets.
"Now Coward has reached out to TPM with answers to some of our most persistent questions about the Carrier IQ software"
Short interview. Only 3 questions and answers. by Dec 9
Jon Oberheide, co-founder of Duo Security, exploit creator, code auditor
"I definitely wouldn't use the term keylogger to refer to Carrier IQ. It processes some input events (hardware buttons, etc), but it doesn't meet the functionality and intent of a keylogger...
"I agree with Carrier IQ's statement that it's really the carrier's policy on collecting URLs and other data. There's certainly privacy concerns and sensitive data that could be leaked through the URLs. Carrier IQ seems to be receiving the blame in this scenario, while it's really the carriers that should be answering the questions and claims here (which they've started to)...
"Most malware will just root your phone and have full access to all your activity regardless. Funny how people freak about about Carrier IQ, when malware can do the same thing but easier, more stealthily, and with obviously malicious intent. :-)" by Dec 3
Coward: “On being able to record running apps, visited URLs] "That relates really to understanding what applications are on the device and application usage. If you're having problems with the applications, we'll see all of that. Next to that in terms of sensitivity would be understanding what URLs your device is going to. We see that information too. Whether a service provider actually uses that information (is up to them)." by Dec 3
"Carriers [Cell Phone Service Providers] can configure Carrier IQ to record and transmit the URLs of Web pages visited, a separate privacy concern from keylogging." by Dec 3
The data it takes from iOS is much less extensive and Apple plans to remove it from iOS by Dec 3
How likely is it that data collected by Carrier IQ could be accessed by a third party?
"Considering there are no reports of this ever happening, you might conclude that it’s extremely unlikely. In its statement, Carrier IQ says the data it gathers is encrypted in its own network, or the carriers’ networks.
It’s unclear how secure the data stored on the phone itself is, however. Eckhart managed to access it, albeit on his own phone. It’s all hypothetical, but if you take into account the recent emergence of Android malware that’s able to “root” a phone, it’s impossible to rule out the idea that someone could design a piece of malware that could root the phone and access the data. In theory, it’s possible, but again, there are no reports that anyone’s done it." by Dec 3
"They were also concerned that there’s no way to shut down the software or opt out.
The last point is somewhat laughable. Do a Ctrl Alt Delete on your Windows computer sometime and look at the process tab. There are dozens of processes running on your computer at any given time, most of them likely unidentifiable to you. Microsoft runs some, other software and utilities you’re running are responsible for the others. You didn’t explicitly ask for those processes to run, but they come as part of the system or software you’re using. You can shut any of them down, but at the risk of harming your computer.
For carriers and handset manufacturers, Carrier IQ is very much like one of those processes. I bet it never even occurred to them that they should inform consumers, let alone offer a way to disable the diagnostic tool." by Dec 6
States that Carrier IQ does things that debugging software does. by Dec 6
1. The Carrier's are the customers, not the end users.
2. The Log File belongs to Android, not Carrier IQ
3. Data is stored for roughly 30 days and its use is strictly dictated by the Carrier
4. Opt-in/Opt-out decisions are up to the Carrier, not Carrier IQ
5. Carrier IQ dodges the "How Secure is my Data being transmitted?" question. by Dec 9
"In the document (PDF link), titled “Understanding Carrier IQ Technology,” Carrier IQ aims to explain what the software “does and does not do.” by Dec 13
"The point is though, the data has value. It could be accessed ethically in new market places, oriented around people's control and management - not just this 'opt-in' to us stalking you. Put it in your personal data locker/store/vault/bank and use it as you see fit. Where the user can choose wehre they store it who can help them get value from it and how they are protected from others seeing and poking at it or manipulating and using it for things the user doesn't want.
This is also where accountability frameworks will start to come in - because right now there are really none asserted by people or anyone - but it is reasonable for a carrier to have data on where calls are dropping. So can you have 'frameworks' where that kind of data is available but not the Personally Identifiable Information and tracking bits...and can we audit this?" by Dec 3
In Europe there is the concept of purpose binding. Data can't be collected without informing the customer of its purpose. by Dec 3
Because of our smartphones, privacy is a fastly disappearing construct. We can easily be "geotagged" by Dec 3
A general big problem with the software is it records things that go beyond just measuring dropped calls, such as logging people's key strokes. by Dec 3
As our Marshall Kirkpatrick notes, we could all become victims of our own data. Any time we perform an action on an Internet connected device, in one way or another that data is being created and logged. Whether that is for temporary functionality purposes or for the edification of the carriers, developers, manufacturers or marketers depends on the nature of the data. Detailed data is an extraordinarily valuable commodity. by Dec 3
Nielsen is a partner of Carrier IQ’s, according to a press release from October. by Dec 5
"Instead of outlining exactly what types data they collect, Carrier IQ, Sprint (NYSE: S), and AT&T (NYSE: T) have chosen to issue carefully worded statements about the type of data they don’t collect." by Dec 5
Points out how strangely specific Carrier IQ's response was:
arrier IQ’s statement was oddly specific about the type of data it did not “record, store, or transmit:” “SMS messages, email, photographs, audio or video.” However, the Carrier IQ software is in a position to capture just about every action performed on a smartphone, such as search terms, frequently visited destinations entered into mapping software, or even the books and magazines you’re reading. by Dec 5
Did not finish reading (b/c I've already read so damn many articles on this topic...) by Dec 10
"What we now know from security researcher Dan Rosenberg's subsequent analysis of Carrier IQ software are these important facts: 1) It records only keystrokes made through the phone dialer software, not any other software including SMS, texting, or apps; 2) it does not appear to use stealth other than the protection methods already built into the operating system; 3) it stores the logs of those keystrokes using not enough stealth, thus potentially exposing users to privacy risks. But these are not the three most important lessons of this story." by Dec 10