Carrier IQ
FBI says Carrier IQ files used for "law enforcement purposes"
The FBI disclosed this weekend that data gathered by Carrier IQ software is used by it for "law enforcement purposes", but refused to give details of how it has done so. Responding to a Freedom of Information Act request filed by Muckrock , the FBI said that it held relevant records but that their release could interfere with pending or prospective law enforcement proceedings.
"Responding to a Freedom of Information Act request filed by Muckrock, the FBI said that it held relevant records but that their release could interfere with pending or prospective law enforcement proceedings.
The request asked for "manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ."
Muckrock's Michael Morisy says he plans to appeal the FBI's decision" by Dec 13
Carrier IQ Denies Violating Wiretap Laws
Carrier IQ , the beleaguered wireless metrics provider, "vigorously disagrees" with anyone who says it violates wiretap laws — and insists its software "makes your phone better" by delivering information on device performance to wireless operators.
"Dan Rosenberg, a senior consultant at Vital Security Research, told the Los Angeles Times that he had reverse-engineered the software and found that it didn’t record keystrokes, but used “keystroke events” as part of the application."
"What that means: Carrier IQ’s software can confirm when a button was pressed, but that doesn’t mean it’s sending a log of those button presses back to the company’s servers.
Now Carrier IQ explicitly states that this doesn’t happen: “Our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video,” the company’s statement reads." by Dec 3
Carrier IQ: We don't record keystrokes, but your phone does - Dec. 16
Developer Trevor Eckhart's YouTube video exposed how detailed smartphone data was being logged by Carrier IQ's app. NEW YORK (CNNMoney) -- As the privacy fiasco that erupted around Carrier IQ continues smoldering, the finger pointing has intensified over the controversial software that sends data from individuals' phones back to their carriers.
"Still, Carrier IQ isn't completely off the hook.
As part of its internal investigation, the company discovered that it had been accidentally sending users' text messages to carriers.
The problem was the result of a bug, which Carrier IQ says it has told the carriers how to fix. The texts were also encoded, so they weren't "human readable," the company claims." by Dec 17
"That debugger is supposed to be turned off unless a developer turns it on. It's also highly unusual -- and potentially insecure -- for an application to store so much data to the debug logger. A stolen phone that hasn't been turned off could be a gold mine for hackers, who would have access to literally everything a user has done or said on the device since it was last powered down.
Though Carrier IQ is installed on more than 150 million phones worldwide, the debug logging problem appears to only exist on HTC and Samsung smartphones. Those two manufacturers add a layer of their own software on top of the stock Google Android operating system, according to Dan Rosenberg, a consultant at Virtual Security Research who has extensively studied Carrier IQ's software." by Dec 17
"This week, Carrier IQ concluded an internal investigation and released a report on its findings. The company's analysis confirmed that its software does not, by itself, record users' keystrokes. Instead, the report affirmed the Carrier IQ's prior suspicions that the recording is being triggered on the handset manufacturers' end.
Carrier IQ's report said that what the Eckhart video displays is actually the result of separate tools put in place by the handset manufacturer.
The data recording was being done in what's known as a debug log. The log is intended to help software developers understand what happened if something goes wrong with an application. It stashes information in the phone's memory, which it remains stored until the device is powered down." by Dec 17
Carrier IQ Is Not Evil
"Senator Al Franken, who sent a letter to Carrier IQ this week about the company’s business practices, is asking the right question here: “Does [Carrier IQ] subsequently share [data it collects] with third parties? With whom does it share this data? What data is shared?” If Carrier IQ is sharing the data with anyone but the carrier that hired it, that’s a problem. If not, as the company claims, then it’s just a subcontractor doing work on behalf of a carrier that already has access to the same information anyway." by Dec 3
How Carrier IQ was wrongly accused of keylogging | Privacy Inc.
But when Sen. Al Franken, the Minnesota Democrat, wrote a letter yesterday asking what data are collected, he didn't address it to Sprint and AT&T, who combined have probably the most influential lobbying operation in the nation's capital. In his own letter today, Rep. Ed Markey, the Massachusetts Democrat, didn't either. by Dec 3
"The data is not controlled by us, regardless of which model is used," Coward says. "We have no rights to the data. We cannot sell it, lease it, rent it, share it. The operators are extremely strict about that, as you might expect." by Dec 3
Coward acknowledged that the company's software, which is designed to be installed by carriers, can report back what applications are being used and what URLs are visited. Carrier IQ doesn't make these decisions; rather, they sell configurable software and the carriers decide what options to enable. by Dec 3
Carrier IQ has given Rebecca Bace, a well-known security expert who's advised startups including Tripwire and Qualys, access to the company's engineers and internal documents. (Bace says she has no financial relationship with Carrier IQ.)
Bace told CNET that: "I'm comfortable that the designers and implementers expended a great deal of discipline in focusing on the espoused goals of the software--to serve as a diagnostic aid for assuring quality of service and experience for mobile carriers." by Dec 3
Dan Rosenberg, an exceptionally talented security consultant who has discovered more than 100 vulnerabilities in the Linux kernel, FreeBSD, and GNU utilities, extracted a copy of Carrier IQ's software from his own Android phones. He then analyzed the assembly language code with a debugger that allowed him to look under the hood.
"The application does not record and transmit keystroke data back to carriers," Rosenberg told CNET. His reverse-engineering showed that "there is no code in Carrier IQ that actually records keystrokes for data collection purposes." by Dec 3
Carrier IQ Explains Itself
Carl Franzen
Carrier IQ vice president of marketing, Andrew Coward, explained their product’s functionality, giving extensive interviews to CNET and the Verge, among other online media outlets.
"Now Coward has reached out to TPM with answers to some of our most persistent questions about the Carrier IQ software"
Short interview. Only 3 questions and answers. by Dec 9
It's been a tumultuous few weeks for Carrier IQ, the Mountain View, Calif.
Carrier IQ verbatim: Answers from company exec, researchers | Privacy Inc.
Jon Oberheide, co-founder of Duo Security, exploit creator, code auditor
"I definitely wouldn't use the term keylogger to refer to Carrier IQ. It processes some input events (hardware buttons, etc), but it doesn't meet the functionality and intent of a keylogger...
"I agree with Carrier IQ's statement that it's really the carrier's policy on collecting URLs and other data. There's certainly privacy concerns and sensitive data that could be leaked through the URLs. Carrier IQ seems to be receiving the blame in this scenario, while it's really the carriers that should be answering the questions and claims here (which they've started to)...
"Most malware will just root your phone and have full access to all your activity regardless. Funny how people freak about about Carrier IQ, when malware can do the same thing but easier, more stealthily, and with obviously malicious intent. :-)" by Dec 3
Coward: “On being able to record running apps, visited URLs] "That relates really to understanding what applications are on the device and application usage. If you're having problems with the applications, we'll see all of that. Next to that in terms of sensitivity would be understanding what URLs your device is going to. We see that information too. Whether a service provider actually uses that information (is up to them)." by Dec 3
"Carriers [Cell Phone Service Providers] can configure Carrier IQ to record and transmit the URLs of Web pages visited, a separate privacy concern from keylogging." by Dec 3
In Carrier IQ Scandal, iPhone Owners Avoid a Privacy Scare
The data it takes from iOS is much less extensive and Apple plans to remove it from iOS by Dec 3
Apple Will Remove Carrier IQ -- How To Block It On Your iPhone Now [PICS]
Carrier IQ: Your phone's secret recording device - Dec. 1
Carrier IQ and Your Phone: Everything You Need to Know
There's a storm of controversy flaring up over Carrier IQ , cellphone software that logs user activity and relays at least some of that information to wireless carriers. The carriers say they'll use that data to improve their networks. But anything that's peeking in on what you're doing on a phone raises a host of privacy concerns, and many users are suspicious.How likely is it that data collected by Carrier IQ could be accessed by a third party?
"Considering there are no reports of this ever happening, you might conclude that it’s extremely unlikely. In its statement, Carrier IQ says the data it gathers is encrypted in its own network, or the carriers’ networks.
It’s unclear how secure the data stored on the phone itself is, however. Eckhart managed to access it, albeit on his own phone. It’s all hypothetical, but if you take into account the recent emergence of Android malware that’s able to “root” a phone, it’s impossible to rule out the idea that someone could design a piece of malware that could root the phone and access the data. In theory, it’s possible, but again, there are no reports that anyone’s done it." by Dec 3
Carrier IQ Is Not Evil
Look out! Your phone knows what you’re doing. It has your contacts, email messages, SMS text, pictures and video."They were also concerned that there’s no way to shut down the software or opt out.
The last point is somewhat laughable. Do a Ctrl Alt Delete on your Windows computer sometime and look at the process tab. There are dozens of processes running on your computer at any given time, most of them likely unidentifiable to you. Microsoft runs some, other software and utilities you’re running are responsible for the others. You didn’t explicitly ask for those processes to run, but they come as part of the system or software you’re using. You can shut any of them down, but at the risk of harming your computer.
For carriers and handset manufacturers, Carrier IQ is very much like one of those processes. I bet it never even occurred to them that they should inform consumers, let alone offer a way to disable the diagnostic tool." by Dec 6
States that Carrier IQ does things that debugging software does. by Dec 6
Carrier IQ Speaks: 5 Key Takeaways
1. The Carrier's are the customers, not the end users.
2. The Log File belongs to Android, not Carrier IQ
3. Data is stored for roughly 30 days and its use is strictly dictated by the Carrier
4. Opt-in/Opt-out decisions are up to the Carrier, not Carrier IQ
5. Carrier IQ dodges the "How Secure is my Data being transmitted?" question. by Dec 9
Understanding Carrier IQ: The Most Detailed Explanation So Far
The controversy over Carrier IQ , a diagnostic program installed on millions of mobile phones all over the world, continues to heat up, especially after a class action lawsuit targeted the company together with several mobile manufacturers and carriers. Although it already offered several explanations of what it does, Carrier IQ now decided to publish another document, with the most detailed analysis of the software and its impact on its users yet. In the document (PDF link), titled "Understanding Carrier IQ Technology," Carrier IQ aims to explain what the software "does and does not do.""In the document (PDF link), titled “Understanding Carrier IQ Technology,” Carrier IQ aims to explain what the software “does and does not do.” by Dec 13
It's Carrier IQ's World, We Just Live in It
"The point is though, the data has value. It could be accessed ethically in new market places, oriented around people's control and management - not just this 'opt-in' to us stalking you. Put it in your personal data locker/store/vault/bank and use it as you see fit. Where the user can choose wehre they store it who can help them get value from it and how they are protected from others seeing and poking at it or manipulating and using it for things the user doesn't want.
This is also where accountability frameworks will start to come in - because right now there are really none asserted by people or anyone - but it is reasonable for a carrier to have data on where calls are dropping. So can you have 'frameworks' where that kind of data is available but not the Personally Identifiable Information and tracking bits...and can we audit this?" by Dec 3
In Europe there is the concept of purpose binding. Data can't be collected without informing the customer of its purpose. by Dec 3
Because of our smartphones, privacy is a fastly disappearing construct. We can easily be "geotagged" by Dec 3
A general big problem with the software is it records things that go beyond just measuring dropped calls, such as logging people's key strokes. by Dec 3
Carrier IQ: Is It Spying or Actionable Data? [Poll]
As our Marshall Kirkpatrick notes, we could all become victims of our own data. Any time we perform an action on an Internet connected device, in one way or another that data is being created and logged. Whether that is for temporary functionality purposes or for the edification of the carriers, developers, manufacturers or marketers depends on the nature of the data. Detailed data is an extraordinarily valuable commodity. by Dec 3
Why Both You And Carrier IQ Are
Nielsen is a partner of Carrier IQ’s, according to a press release from October. by Dec 5
"Instead of outlining exactly what types data they collect, Carrier IQ, Sprint (NYSE: S), and AT&T (NYSE: T) have chosen to issue carefully worded statements about the type of data they don’t collect." by Dec 5
Points out how strangely specific Carrier IQ's response was:
arrier IQ’s statement was oddly specific about the type of data it did not “record, store, or transmit:” “SMS messages, email, photographs, audio or video.” However, the Carrier IQ software is in a position to capture just about every action performed on a smartphone, such as search terms, frequently visited destinations entered into mapping software, or even the books and magazines you’re reading. by Dec 5
3 Lessons Learned from the Carrier IQ Falderal
Did not finish reading (b/c I've already read so damn many articles on this topic...) by Dec 10
"What we now know from security researcher Dan Rosenberg's subsequent analysis of Carrier IQ software are these important facts: 1) It records only keystrokes made through the phone dialer software, not any other software including SMS, texting, or apps; 2) it does not appear to use stealth other than the protection methods already built into the operating system; 3) it stores the logs of those keystrokes using not enough stealth, thus potentially exposing users to privacy risks. But these are not the three most important lessons of this story." by Dec 10
The Mashable article pretty much sums up all the details on this issue. I also recommend reading the verbatim answers from a Carrier IQ exec and some security specialists. by pattychanman Dec 3
Sen. Al Franken, the Minnesota Democrat and Rep. Ed Markey, the Massachusetts Democrat will likely get some PR points as they swiftly sent letters to Carrier IQ to get to the bottom of this. I bet they won't go after the Carriers themselves though... by pattychanman Dec 3
Win for Apple in the Apple vs. Android fight, as the version on Apple is less extensive, Apple currently has a way for users to opt-out, and it has already released a statement that it will no longer use this software in future versions of iOS. by pattychanman Dec 3