There are a handful of comments here giving CarrierIQ the benefit of the doubt, because the video did not show CarrierIQ sending the logged data over the network.
If you're still inclined to give them the benefit of the doubt, just read the CarrierIQ website. Their ENTIRE BUSINESS MODEL is based on collecting data about mobile phone users!! Here's a choice excerptI found on their website after browsing their site for 30 seconds[1]:
Carrier IQ's Mobile Service Intelligence Platform (MSIP)...receives raw data (known as Metrics) from phones and converts them into reliable, repeatable Measures which feed into analytic applications.
Or you can read this comment from a discussion last week where a CarrierIQ recruiter told an HN member that they collect 10s of gigabytes of data PER DAY.[2]
These guys are indeed collecting RAW DATA from actions on your phone. There are tremendous opportunities for abuse here, should CarrierIQ decide to do so. CarrierIQ in blatant violation of privacy norms and could do enormous damage to national security of many countries, conduct corporate espionage, or simply violate the citizens' expectation of privacy when using their phone.
This is dangerous and should be stopped immediately.
They say they are installed on > 148.3M phones. If we imagine that they are gathering 10GB per day then that's about 76 bytes per phone, if it's 90GB (the upper limit before the recruiter would have been shouting about terabytes) then it's 680 bytes. It's more likely to be in the middle (because otherwise the recruiter would have rounded up) so you are talking 100s of bytes per phone per day. I don't think it's realistic that they are sending all my URLs, all my keystrokes etc. in a few hundred bytes.
Whether they are sending a full log report of my actions TODAY is beside the main point.
I do however know two things. 1) That their local software processes almost every key stroke made. 2) And that they do send at least some portion of this data back to their servers.
At this point it would be trivial for them to send my private information TOMORROW if they decided to do so. I don't know that they don't have a subroutine to begin sending all of my SMS back to their servers if they decide to so for profit or under government coercion.
If they have no plans of using my Google searches, they shouldn't process it in the first place.
This is exactly right. It is the presence of a keylogger, which (at the very least) is echoing keystrokes, that is the problem. Whether they 'send' everything or only parts of it, or whether the data is anonymized, aggregated etc is a whole other discussion.
This is, of course, an attitude that is going to "deftly" shoot down any new fact or analysis brought into the discussion.
Your starting point was that they were collecting† data that could jeopardize national security††. You clearly based that argument on the idea that their own recruiter mentioned "10s of gigabytes a day".
Now, in true message board geek fashion, you're going to steadily move the goalposts. What? They're not collecting messages? Well then they're processing messages! They shouldn't be doing that either!
The problem with this tactic --- make a spectacularly unsupported assertion and then back off it in a series of non-concession-concessions --- is that you cease to be credible. Is this what you really think? Or will you re-harden your position if e.g. it becomes clear that they're not even seeing the keycodes of the keypresses, but rather using an API that could conceivably allow them to get them.
He's based his argument on the recruiter's statement, which is a poor choice. On the other hand, other material from the company supports, in fact, a much larger number.
I don't think there's any goalpost moving here at all: Hundreds of millions of keyloggers -- rootkits, really, as the article states -- are installed and unremovable. Whether they are being abused or not at the moment is irrelevant; it should be outrageous and unacceptable that such a datastream is going through a third-party without any kind of transparency, acceptance, or even tacit acknowledgement.
Likewise, your rhetorical refutation here (very thorough, in the abstract) would be a lot more damning if there wasn't, you know, video evidence of this rootkit collecting exactly this data and sending it back.
Now you're defending/rationalizing whatever disgusting bullshit Carrier IQ is up to.
What's wrong with you?
Just like we didn't have absolute proof that Aaron's indictment was politically motivated, we can't be absolutely sure that Carrier IQ is a company full of shit and devoid of morals.
But it's blindingly obvious that both are very, very likely.
I wouldn't know. But the idea that you can't even fathom how someone might have a different point of view from you and not be bought off by the government is telling.
Great point. The 10s of GB was anecdotal data from a CarrierIQ recruiter.
If we go by the official letter you've posted and assume conservatively CarrierIQ has only 1 Petabyte of data, and that they've been collecting since 2006 (when they received their Series A), they've been collecting 456 GBs of data per day. Its probably more than that today since the data collection rate has surely accelerated over time.
That's an order of magnitude beyond 10s of GB per day.
Well realistically they would not have been collecting 456GB per day from day 1. They would have grown from almost nothing, which means that today they're probably collecting around a terabyte per day. That's two orders of magnitude, 7KB per user per day - and could definitely include all keystrokes of all users.
Its a few hundred bytes on average, that doesn't mean every phone reports every day nor does it take into account the number of phones with this installed whom rarely use the device. This probably lives on both my parents handsets and they make 4-5 calls and 1-2 text messages a week between them. I think that type of minimal usage is actually quite wide-spread which easily offsets higher usage users, and with presumably higher outbound data to CarrierIQ.
An average across 145M users crossing various demographics and phones types is not a good metric to use to determine the possible danger of the data being sent.
I don't think it's realistic that they are sending all my URLs, all my keystrokes etc. in a few hundred bytes.
I tend to agree with you, but at the same time wonder how they're aggregating the data; they could store each day's raw data in however many GB, then crunch it down later.
The only other potential issue that jumps out at me is bandwidth; I'd find it strange if the data isn't being compressed, but if it is, you could cram quite a lot of useful information into those few hundred bytes ;)
For the amount many people who heavily use their phones, I think the numbers are sound. 1% of the users probably consume 99% of the resources. You being that in top 1%.
But simple zip on raw text is what? 3 or 4 to 1?
Particularly when you're talking about urls. So now you're talking about at least a couple kbytes of raw data.
So logging all of everyone's texts is probably still out.
But easily logging their browsing patterns. Probably app installation and use. And certainly they retain the capability to log texts containing keywords without going too far outside that aggregate range of data. Or doing targeted logging of all of selected individuals usage.
I'd just like to point out that what I hypothesized above have been revealed to be actual features of the CarrierIQ software. So I'm not sure what the downvote is for, but it's not inaccuracy or undue cynicism.
If they're only saving, say, online searches and the resulting ip address from each visit, that might be doable, and it seems like the best way to get info passively, and in small sizes.
What percentage of all the SMS messages send by Sprint Android phones in a day do you think 10 gigabytes is? Start here: the US generates about 2 trillion SMS messages in a year across all phones.
There are multiple YC startups that could write the (bad) marketing sentence "we receive raw data (known as metrics) from X and convert them into reliable, repeatable Measures which feed into analytic applications". Personally, I'm inclined to think that when someone writes "we receive raw metrics", they mean "they receive raw metrics". You seem to premise your entire comment on the idea that "raw metrics" means "tremendous opportunities for abuse, damage to national security, corporate espionage".
Those two points --- 10 gigabytes, and "raw metrics" --- seem literally to be the entire basis of your (currently top ranked) comment.
I wish I could be more strident in disagreeing with you (because your tone makes me want to be), but I have to admit that I have no clue what this company is taking off Sprint phones. I'm inclined to believe that nobody could be dumb enough to take the contents of SMS messages from phones --- Sprint doesn't want that data --- but who knows?
I wrote a similarly negative comment yesterday when this story hit HN the first time. Then I read downthread and found John Graham-Cumming thoughtfully picking apart the story. I read his comment, re-read mine, and deleted mine. 'jgc's comments on this story are interesting; ours are less so; his is buried under yours now. Perhaps you could follow my lead.
Myself and almost every other mobile phone user have the reasonable expectation that third parties should not have the ABILITY to read or modify my private and personal information unless I explicitly give you permission to do so.
This fundamental principle is embedded in all the software I use. I consider any software that doesn't adhere to this principle malware. When my PC crashes, Microsoft asks me if I want to share information with them about what led to the crash. I usually say no, but I appreciate them asking. When I use gmail, I do so with the understanding that Google has full access to the contents of my email. They promise me that they won't do any funny stuff and I accept the conditions of this contract in exchange for free email.
I never entered into such an agreement with CarrierIQ. I've never even heard of CarrierIQ until this week. Yet despite this, they are logging everything I type into my phone, and sending some portion of the information that they log.
If I offered you $100 to install a program I wrote that logged every keystroke on your computer and sent some portion of this information to my own server over TCP, without giving you a privacy policy, you know very well you'd never take me up on this offer. So why is it ok with CarrierIQ?
The focus on how much information is in 10GB is beside the point. The point is that CarrierIQ has been demonstrated to have the ability to read and send everything you type into your phone. At this point we're just hoping they're the good guys and won't do anything overtly evil. But what's to stop them from calling the following function on your phone?
All this comment does is moralize. It adds no new information and provides no useful analysis. The only analysis you've provided to date appears flawed; for instance, it asserts that "10 gigabytes a day" of "raw metrics" implies "message contents".
As 'potatolicious seems fond of saying, "that's not even wrong".
Everyone agrees with you already.
I always forget, is it light or heat that's the one you don't want? You're adding more of the bad one, and none of the good one.
Apart from rebutting your analysis earlier, I'm under no illusion that my comment is helping clear up this ${INSERT_NERD_FREAKOUT_HERE} either, but I'm at least happy to speak up and raise the meta point that we shouldn't be rewarding comments like yours. Also, for obvious reasons, I'm past giving a shit about comment karma, so I can just say what I think.
Well, in the interest of keeping the signal/noise ratio high, here's my view on things.
When someone uses a mobile phone, they generally have the assumption that, unless they consent to it, third parties do not have access to their data (the government being a different story I won't go into). When I use GMail, I consent to Google reading my email via automated algorithms, and targeting ads at me through that. If I have anything important, I use email that I host myself or, if it's really top-secret, an anonymous throwaway account through Tor.
However, from what this video demonstrates, CarrierIQ is violating the basic principle of this by capturing and potentially logging your personal data without your knowledge or consent. Furthermore, it's violating the assumption that most people have that their passwords and such are not captured by applications other than the ones that they are entered into.
Now, we don't know for sure whether all this information is sent off to their servers and logged or not. However, in my personal opinion, the fact that this information is CAPTURED AT ALL is a serious problem, when combined with the fact that you are not informed of this!
He's one of the people who has been on HN forever. He's often a bit contrarian, but I don't doubt that he believes what he says, even when I strongly disagree with it. And if you scroll up, you'll see that I've already made clear my disagreements on this one.
There software is not on all phones so the total number of SMS messages is irrelevant. Assuming the average text message are 80 charters and they can be compressed 75% then 10GB could be 500 million messages a day and 180billion / year which would be 10% of the total messages in a year. Or with enough meta data 10GB could represent a tiny fraction of that. So, IMO the real question is what information they actually collect not how much data they are storing.
At 160 bytes per text and 2T texts per year, there are 800 gigabytes of texts per day. Thus Carrier IQ is monitoring the equivalent of 1% of all texts across all phones. That is still quite significant.
160 bytes per text seems like a very generous estimate. Casual observation would suggest the average is less than half that. I just got a text that seemed pretty long to me, so I went back and measured it. It was 90 bytes (104 characters * 7 bits per character / 8 bits per byte).
You're thinking quantitative when you should be thinking qualitative. The worrisome thing is that, as the screenshots show, they seem have access to location-based information.
I wouldn't care if they were logging non-identifying info, such as the amount of time my phone display is on to analyze battery performance, for instance, or perhaps even the general settings I have on my phone to help HTC deliver more desirable "factory settings." Any of this could add up to that 1% you mention.
Speaking personally though I use a 5 or 6-year-old Blackberry model with no data plan and will happily continue to do so.
The point isn't how many texts they're getting --- one would be too many. The point is "10 gigabytes per day of metrics" doesn't itself imply that they're getting message contents.
You are militantly missing my point. There is no evidence that they are seeing message contents. All we are going on in this thread is the supposition that because they're getting "10 gigabytes a day", it must be message contents.
They themselves use the phrase "raw data" to describe what they collect (as "metrics"). Metrics are not comprised of raw data, but of measurements, so unless they're being hinky with word choice, a plain reading of their own materials would suggest that they do indeed receive user content.
They've said repeatedly that they do not collect that data. This is a common attitude on HN threads: the idea that the only facts for us to discuss are the ones in the article itself or in other comments on the thread. There are more facts just a Google search away for you.
Their own words are not dispositive; I'm not suggesting that they are. But here you're trying to interpret their words in a way that contradicts their own direct statement. Your interpretation is possibly accurate, but implausible.
I read this and don't see how it clears anything up.
My best guess (I know just as little about CarrierIQ as everyone else on this thread) is that CarrierIQ is trying to collect very innocuous information (performance statistics and event information to correlate them to), but is doing a slapdash job of generating that information --- for instance, by logging raw details to the Android filesystem.
I wouldn't want it on my phone either, but that doesn't make them Big Brother --- or, obviously, a "rootkit".
This is an important point that I think some people are forgetting. I use Verizon. They already have access to all of my text messages. I send my text messages to Verizon, who then forwards them on to the person I'm talking to. Just as Google first gets my email.
It is unfortunately a point that the contradicts the thread narrative that casts a hapless, poorly-marketed analytics company as Big Brother incarnate, so nobody's going to pay attention to it.
They put backdoors on basically every phone in secret, threatened the guy who outed them with a lawsuit and are perfectly capable of snooping on everything, whether they do so or not.
What do you know about them that makes you trust them?
Nothing. There's just a likely innocent explanation for all three of those things:
1. CarrierIQ is a "secret" in the same sense as the network management software that Sprint uses that can also see all your SMS messages is a "secret": (a) nobody at Sprint thinks its relevant to you, and (b) nobody at Sprint thinks its any of your business. Which, if you take a breath, strictly speaking about the performance metrics they're collecting, it isn't your business.
2. CarrierIQ was dumb about threatening this guy like lots of other companies have been identically dumb. Companies have threatened to sue me. I remain cordial with the owners of some of those companies. Welcome to security research; we don't have jackets, but we sure get a lot of press.
Incidentally, put yourself in CarrierIQ's position and assume that this particular researcher is full of shit, meaning, no, CarrierIQ is not snooping on people's keystrokes. What would you do? There's a guy out there claiming that their performance agent is a "rootkit". They got pissed. Surprised?
3. Any piece of systems software the carrier agrees to stick on the phone is capable of snooping. Sprint itself could just backdoor their Android distro.
In their shoes, I would have contacted the researcher and explained myself. While unsurprising, that move was unwise, and I would imagine that you agree on that point at least.
I think someone once said that sufficiently advanced incompetence is indistinguishable from malice. Whether they're dumb or malicious, I'm just glad their crap isn't on my phone.
Even they seem to agree with it; rather than just shutting up about their C&D, they actually issued a formal apology to Trevor. That's an uncommon move.
I don't know whether some other shoe is about to drop; for instance, someone could actually show that they're transmitting real keycodes and not just metrics data. But in the absence of that shoe dropping, especially given how many people have jumped to a conclusion about CarrierIQ, I'm inclined to believe that what they do is actually benign. If you want to get upset at someone, get upset at the carriers themselves. When you do, remember, they're already recording all your messages without CarrierIQ.
Ok, now see, I missed that part about the apology somehow; I only knew that they dropped the lawsuit when lawyers stepped in. While there's no way I'd allow this crap on my phone, it does get them a little credit.
I think that there are zero people on HN that think CarrierIQ is a good idea.
So if all we're doing here is condemning CarrierIQ, let's just replace this whole thread with "CARRIERIQ BAD", followed by a bulleted list of bad things, vote it up to 1000, and then get back to talking about building things.
Or how about if you don't think that this thread is contributing anything to what you think HN should be, you stop yelling at everyone posting in it and go back to "building things"?
We get it, you don't like this thread. You don't need to respond to every comment with a pedantic "fuck you, shut up, and get off my lawn, I have a billion comment karma because people upvote snark so now I'm going to act like a dick
" comment of your own.
No. Tried that. Now trying the other way. These threads are dragging HN down, and I've decided to be noisier about it.
My feeling is that the same name recognition influence that gets most of my comments modded up 100-200% more than they're actually worth is going to get my -4 comments read even though they're light grey. We'll see!
> So if all we're doing here is condemning CarrierIQ
I asked someone who is quite good with crypto a question about a possible MITM attack on 141 million phones. I didn't condemn CarrierIQ, I avoided dramatic language, I even added qualifiers to avoid stating something as fact if it wasn't yet confirmed.
Sorry. You're right. I let the ultra dumbness of this whole thread bring me down a bit.
Doing an SSL MITM from agent software installed by the carrier on a phone seems pretty silly, since the carrier is in a position to see anything you're typing into your phone anyways (in the sense that it controls the OS).
I'm not sure I buy any analysis that suggests CarrierIQ is really "MITM'ing" SSL --- though that's trivial for a software agent to do --- because the same people saying that are also saying that it's obvious that CarrierIQ is capturing and remote-logging message contents.
real question here: Should it be obvious that the carrier controls the OS? Second question: is that acceptable? I mean, that assumption underpins your dismissal of an MITM as "pretty silly", which also seems totally correct.
I'm just curious if that's the way phones will be forever: with the OS controlled by the carrier and with no right to tinker/hack/modify the device you buy & pay huge monthly fees to use.
People aren't writing novels on their SmartPhones. The typed input from a normal volume of text messages, e-mails, and URLs is actually pretty minute when you think about it. Certainly it would be compressed before being uploaded to their servers. IIRC they cite 140 million active devices so if you figure 3kB per day, which is probably on the high side, that's only 400GB before compression. You can compress text down by about 90% these days. That works out to only 44GB of data uploaded per day.
Did you read any of the articles or watch the video?
The guy shows `adb logcat` running and showing CarrierIQ logging keystrokes with their ASCII codes.
(edit: I make no claims about the transmission of data. I merely took "collection" and assumed that if the app was recording (even if not persistently) keystrokes on my phone that it counted as collection. Further, the fact that it can is enough to piss me off, especially since it seems like makers of this type of software have piss-poor track records for their app security)
And, as been pointed out repeatedly in discussions about the "security" domain, when you add an ability, you inherently add a vector for that ability to be abused.
Even if "raw data" are not currently being uploaded, how thin is the line between this being turned off and it being turned on? And who is in control of that decision?
At an absolute minimum, the situation demands transparency.
As for me, I'm a step closer to being firmly in Stallman's camp.
Right, the argument is logged keystrokes never leave your phone because that amount of data from each Android/Blackberry phone would be a lot more thn 10 GB a day. I agree though, why are they logging it at all if the app isn't sending it to them? Very suspicious.
You, uh... you can enter 10 GB of text on your phone per day? I think maybe if you recorded all of the touch events, you'd end up with many megabytes worth, but I doubt the average user will enter more than a few kilobytes worth of text in a day.
I agree with you they will very easily record all the touch events. If you were typing 10 characters per second (which already seems like quite a lot) after 24h you will not even have a megabyte of information. Just over a megabyte if you encode the character in Unicode. ;-) This is without even take into account that this information can be heavily compressed for the transfert.
I read "that amount of data from each Android/Blackberry phone would be a lot more thn 10 GB a day." as "each device is generating over 10 GB a day." It makes more sense as a total, and really, 10 GB a day is NOTHING. In scientific computing, terabytes a day isn't too unusual, so it's certainly no big deal to store and process 10 GB a day.
When you can show me a tcpdump of your password being sent to CarrierIQ I will believe they are capturing your password.
All I've seen proof of so far is that it is capable of doing so because of how it is called before everything for anything, but let's not jump to conclusions here.
Neither drivebyacct2 nor the video claims the data is stored. Carrier IQ is collecting keystroke data, which you said they were not doing. The video clearly shows, when the user presses the "1" key:
where 49 is the keycode for the "1" key. This means the Carrier IQ code is called to collect and process this event information.
We just don't know what the code is doing with this information. Perhaps it is simply updating statistics and discarding it. So I guess your argument with drivebyacct2 is on the definition of "collecting"...
Logging to logcat does not mean it's sending those keystrokes anywhere on the internet. Logcat is the local system log and doesn't necessarily get sent anywhere but to a ring buffer on the device.
You're implying the difference is intent. I'm saying, their intent isn't known. Their own statement is that they don't want the raw characters, just the stats.
Meanwhile, there are plenty of pieces of code strewn throughout your system that get access to similar bits of sensitive data. For instance, every BSD system has a BPF device and driver that exists solely to tap your network traffic. Luckily, nobody sells a BPF-for-Android product.
I'm not saying that this is a clinching argument. I'm simply making a point that is germane to the discussion. Distilled, it is: "just because a piece of systems code deals with your private information does not make a violation of your privacy; sometimes it does, sometimes it doesn't".
Yeah, but key logging?
What could you possibly do with that data?
Besides, the BPF driver in every BSD system is probably open-source and could be reviewed for intent if in doubt. It's not easy, not everybody can do it, but it is possible.
However, you cannot do that for CarrierIQ. Even if such logs aren't getting sent, you don't know that they haven't installed some kind of mechanism to trigger such an upload on demand.
It's almost 2012 and "open source" doesn't matter that much anymore when it comes to stuff like this: there's enough incentive and basic competence now that someone's going to reverse engineer CarrierIQ, if only to get themselves some press.
To use a situation analogous to the situation with CarrierIQ, he did not have permission and you never even knew he was there or that the camera was there. However, the camera is digital, it is connected to your power outlet with a battery-backed UPS, and it has an active wireless modem attached to it.
Maybe he did send data, maybe he didn't. But he's also sent you a CnD notice and threatening to sue you if you tell anyone.
I am a bit lost at all the down votes but he was recording data that breaches privacy acts. If he did send such data without permission it is a rootkit and can be unlawful (data protection act, uk). Because everyone has collectively found out about this at the same time a CnD would not work.
Its much easier to invade privacy in the name of providing a better product than to actually figure out what the customer wants. Collecting huge swaths of data allows product to be tweaked to find a local maximum of profitability. Its an easier and safer alternative than to actually understand one's own product from a consumer perspective.
I fear this is where we're going in all corners of tech. Even moreso because we're already quickly eroding at any expectation that one should provide privacy to their users. All the while users are ignorant enough about tech in general and have no idea that their privacy can and is flying out the door. Software exists in such a way that the lay user can't ever understand the boundaries or capabilities of software to do things that they are completely unaware of. The numbers of people who do understand what is going on is so small that they are neither a significant portion of the market, nor a "reasonable person" in the eyes of courts.
It should be noted that there's no evidence (yet) of what is sent to other entities, only what is captured by the software on the device.
This is bad enough, though. But, let's keep our head about this and calmly demand an explanation from HTC. Why them? Because they signed the binaries with their certificate, presumably at the request of carriers, but HTC is the first in line.
And don't believe the response from CarrierIQ. Just prior to that response, they still had very informative high resolution screenshots of their "Device Analyzer" product which showed a scary level of data mining of end user devices. They were probably great eye candy for their customers (carriers), but creepy for anyone valuing their privacy.
I agree that this information is likely for improved QoS, but what can (has) it been mis-used for? Employees can't be trusted, and the government can't be trusted. An end user can't even opt out of it.
Edit: According to Google Image Search, others are mirroring some of the prior shots. Note that nothing is anonymized in the least (nevermind that anonymizing data is practically a myth).
To be fair, the response from CarrierIQ implies that this is the case:
"In an interview last week, Carrier IQ VP of Marketing Andrew Coward rejected claims the software posed a privacy threat because it never captured key presses.
“Our technology is not real time,” he said at the time. "It's not constantly reporting back. It's gathering information up and is usually transmitted in small doses.”
I'm not sure why I would care to defend him, but it seems that his claim that the data is not real time can be verified by the first image in the parent comment's list. In that shot there's a column listing the 'Upload Reason'. The reasons include "Scheduled" and "Archive full", which seems to indicate that the software reports back at set times unless the user was particularly active and the data file hit some size limit.
There's also a third upload reason in that image which has it's own disturbing implications: "SMS_PullRequest_CS".
The fact that it has hooks to even know of the keystrokes is the real issue here. Even without recording or logging them afterwards, the fact that it has the ability means its a possible attack vector for things like worms/etc...
Even if they never do anything with keystroke data, just the fact that they can is the dangerous part. What is to prevent some switch to start sending the keystrokes in the future? I'll be blunt, this companies implementation of its business model strikes me as being borderline wiretapping.
As a WP7 user, I emailed HTC yesterday asking whether or not this software (or similar products) are used on their WP7 devices. Here's the response I got:
"Dear Kevin Jacobs,
I understand you would like more information about the Carrier IQ software, or any software of this nature on your device. I understand your concerns about this issue and protecting my privacy is definitely one of my top priorities as well.
We have not had any reports of any kind of software like this on any Windows Phone 7 device. This type of software has been used on Android devices, but since Microsoft developed this operating system I am sure they did not include any software of this kind.
Let me know if I have successfully answered your question, please click here to complete this.
To send a reply to this message, please click here.
>I am sure they did not include any software of this kind.
While I am a WP7 owner, I find this to be a little presumptuous. Microsoft may not have included _this specific_ software, but how does HTC know they didn't include anything like it? I don't believe Microsoft gives handset makers the source code for the software. I know they don't allow them to customize it. Perhaps HTC has not installed anything like it or been allowed to install anything like it, but how would HTC know if MS did it themselves?
If they knew they wouldn’t be hedging. They don’t know, they just think it’s very unlikely. What this tells you is that HTC (claims they) didn’t do anything with WP7 phones.
That's a very non-reassuring answer, as her 'sure' statement doesn't sound very sure. The original report at http://androidsecuritytest.com/features/logs-and-services/lo... states "Devices supported include android phones, Blackberries, Nokias, Tablet devices and more."
The part about logging/transmitting personal info is a red herring. The real issue is failing to provide an opportunity for users to assent to the installation of this software on their device. It makes no difference to me whether data is being logged or transmitted over a network. However, I'm terrified that a phone manufacturer would install a very hidden program with root-like privileges, offering a single point of failure. A malicious user could potentially exploit this program's vulnerabilities to access everything on your phone.
IMO, this is a slippery slope argument. The actual phone OS, which is certainly "logging key presses" is also an opportunity for exploitation via vulnerabilities. I fail to see how software is a special case? Additionally, the carriers are certainly storing and tracking your movement and location, and storing your SMS (how else do you suddenly get them when you turn your phone on after your plane lands?)
I think the subtle difference here is that we as consumers have a implicit understanding that the OS and the carriers must store and handle our data in order to provide the services to us that they do. We must trust them if we use their devices and networks.
That trust is given because the data sensitivity is proportional to the disclosure and scrutiny of the providers. The phone, its OS and who provides the network inherently have access to all your data, a huge responsibility, so no attempts are made to hide or obfuscate who those companies are and what they're doing. You know Samsung makes your phone, it runs on android and you use the Verizon network. CarrierIQ seems to have access to all the same data your OS and carrier has, yet their presence is not made transparent/known to the user of the phone.
That said, it's not clear to me what CarrierIQ's integration is like? Is it purely a software framework Android uses to log and store metrics for the carriers? Is it a 3rd party app installed by the carrier to help them store user metrics? How antonymous is CarrierIQ with the data? Do CarrierIQ engineers see your data or is it just for the carriers? Until that's clear, it's anyone's guess.
I agree with this (maybe not 1000x worse, but still).
Anything Apple does wrong is blown out of proportion. Yes the Apple collected data wasn't encrypted, but now it is.
What if this data is compromised at this CIQ company? I hope the data is traceable to an IMEI number ONLY which would make it okay, but still! Why do they need to receive text messages coming in to the phone???
Yes this is much worse and should get 10x the attention. Reason for me to be suspicious of every Android phone I'll get (I assume there are ways to remove it and that it's not shipped on non-contract Nexus). The reason a comparatively minor iPhone scandal gets so big is because everything Apple related gets now over-hyped in the media. You could say Jobs has marketed the Apple brand very well.
Yes this is much worse and should get 10x the attention. The reason comparatively minor iPhone scandal gets so big is because everything Apple related gets now over-hyped in the media. You could say Jobs has marketed the Apple brand very well.
I have a horribly naive and defiantly uninformed question:
this was detected on an android device which is a fairly open platform when compared to the iPhone/Windows phones in terms of software transparency, correct? Is there any way to know for certain that Apple/MS aren't doing this exact same/similar sort of thing?
> Is there any way to know for certain that Apple/MS aren't doing this exact same/similar sort of thing?
You can't really ever know things "for certain", but considering the number of jailbroken iOS devices in researcher hands it's likely this would have been discovered.
Microsoft has in fact done the same sort of thing in Windows Update, though it denied it. Certainly nothing as brazen as a keylogger, but in 2003 it was caught phoning home a list of all installed software, and hardware identifiers, in an SSL connection.
Well, for one, because the legion of fandroids would be here raving about the "evil Apple empire" if this story were about Apple, as it is about Android these same fandroids are saying that Apple are just as bad, if not worse.
"Update: Our original article stated that the software also came preinstalled on iPhones and dumphones, which has not been confirmed. That information came from this article at Geeks.com, and we actually believe that to be a typo. Considering it hasn't been mentioned in any other source, and that the iPhone isn't on Eckhart's list of affected devices, we're removing it until other sources say otherwise. Thanks to everyone who pointed this out."
The location data concern was that if anyone got possession of your phone or a copy of your backup, they could discern your entire location history.
With this finding, if someone got possession of your phone, they could apparently discern...nothing. Instead a subset of data is sent to a company contracted by the carriers (or at least one - Sprint) for the purposes of network monitoring/quality monitoring. Of course the carriers already know your location history through time (just as they know every SMS you sent, picture you sent, data you transmitted, voice call you made, etc), whether you're on a smartphone or dumbphone, and everyone knows and is aware of this.
Is this app sending too much data? I guess we'll find out. Is it "1000 times worse" than a forever location log easily exploitable? Not really.
EDIT (while sitting at -4 while the hysterics have their fit of vapours): Moderation in this story has demonstrated to me once and for all that HN is largely populated by ignorant bottom-feeders now. It is a sad state of affairs, and this site desperately needs a turn off moderation from dipshits option for users to toggle.
I think it is certainly a lot worse. All user data (since it is a keylogger?) being logged and sent to a third party without user knowledge or consent, how is that not worse than just logging user information on the device?
To get access to your location data on the iPhone, someone would have to steal your phone or get into your itunes account. This is happening in the background.
>All user data (since it is a keylogger?) being logged and sent to a third party without user knowledge or consent
Where does anyone say that it is being sent to a third party? This rather noob-ish developer noted that they have a keyboard hook, but in no way does that mean that they send all of your keystrokes to a third party.
Honestly I think I expect too much from HN. The level of discourse on here is absolutely no better than any typical blowhard site.
I dont see how meta comments on HN help the discussion?
Directly from the article:
> “Our technology is not real time,” he said at the time. "It's not constantly reporting back. It's gathering information up and is usually transmitted in small doses.”
The issue is, we don't know what this software is gathering and sending. It is not being done with consent.
But you're right, this needs to be looked into before getting the pitchforks out. But certainly, having the presence of a keylogger is bad enough in itself.
I'm sure people consented through some random paragraph in a two hundred page long EULA, usually under the guise of quality monitoring.
The meta is pertinent. I expect the sort of knee-jerk reaction among non-software developers. I don't among a more educated in the realm crowd.
There is little chance this company is recording, much less transmitting, everything you type, every message you receive, etc. I would hazard a guess that they do, however, record basic usage patterns to let the carrier know how people are using their devices ("6975 characters average per day, send 256 messages while receiving 12. Spends an average 37 seconds in the dialer.").
??? Really, how so. How are they going to get all of the passwords you typed in? Can you point out where anyone has noted any log on the device of this data?
This whole story is that they have system event hooks. That's it. Maybe a real security researcher will find something deeper, but as is it's a nothing story of limited interest. When people like you carry it further than reality you just add ignorance to the conversation.
I think this is a good case study in support of "never trust an internet-connected electronic device directly from a vendor". There should be a universal policy to unlock, root, or blow away any software that exists and replace it with "known good" software, like CyanogenMod, Ubuntu, or a new copy of Windows.
I am surprised the internet took this long to respond, considering that the HN discussion on this was started almost a week ago[1][2]. That said, after watching the video I'm all kinds of sceptical about the dude's claim.
From a Wired article on this: "it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ."
First of all, it is excellent to see this type of hacking and reverse engineering.
This is rather brash. I am surprised to see this on a such an open platform as Android. Even as some of the comments are suggesting they are not sending the data in non crash situations, keeping it logged is rather brazen.
On the flip side though, I have to wonder how would one determine crash behavior before the phone crashes? It seems to me that the phone would need to preemptively log some behavior that would then be indicative as to what caused the crash.
CarrierIQ provides a valuable service for all us. They relay data that optimizes carrier networks, so that we can call, text, get data, etc more reliably.
The problem this thread highlights is poor marketing and transparency. No one at CarrierIQ gives a damn what we text. Breaking those basic privacy tenants would destroy their business, which seems to be going nicely if their software is on >100M devices.
The company just does a crappy job explaining what their technology does and how it helps consumers. Uncertainty around our private information spooks people, which leads to distrust and conspiracy theories. Let this be a valuable lesson for entrepreneurs who touch consumer data, even B2B solutions.
Gmail and Bluekai provide excellent counter-examples of ways to squash these concerns:
-Gmail -remember the ruckus about Google reading your email for ads? Google publicly explained this and now no one cares.
-Bluekai -the company tracks data for online ads. Touch subject. But they're transparent and lay everything out on their website, including an opt-out: http://bluekai.com/consumers.php
CarrierIQ clearly needs to address these issues. Let's call on them to do that. In the meantime, take a moment to imagine how much more we'd hate carriers if reception was even spottier (cough...AT&T iphone...)
>"CarrierIQ provides a valuable service for all us. They relay data that optimizes carrier networks, so that we can call, text, get data, etc more reliably."
Considering how crappy call quality and SMS (which was designed to be used to send control messages to phones) reliability are and how expensive data is, it seems like they're doing a pretty bad job of it. Also, there is no reason to do this client-side since this can all be done at the carrier infrastructure level -- and already is.
>"The problem this thread highlights is poor marketing and transparency. No one at CarrierIQ gives a damn what we text."
Warrantless wiretapping is illegal. I'm not sure what more to say here.
>"Breaking those basic privacy tenants would destroy their business, which seems to be going nicely if their software is on >100M devices."
unless you can't [as a non-techie] remove their software or opt out, which you can't.
>"The company just does a crappy job explaining what their technology does and how it helps consumers. Uncertainty around our private information spooks people, which leads to distrust and conspiracy theories."
http://www.echelon2.org/wiki/Palantir OK. I don't believe you since there are lots of documented reasons to not trust anyone with data like this. Also, why did they send a CnD letter to the guy and threaten him if they're not doing anything bad?
>"Let this be a valuable lesson for entrepreneurs who touch consumer data, even B2B solutions."
Yes, installing rootkits on hundreds of millions of devices without user consent, then trying to gag the security researcher who outs you is pretty damn bad form.
>"CarrierIQ clearly needs to address these issues. Let's call on them to do that. In the meantime, take a moment to imagine how much more we'd hate carriers if reception was even spottier (cough...AT&T iphone...)"
No, people already hate carriers, and there is no explanation that will make installing keyloggers on hundreds of millions of cellphones acceptable, ever. As I already said, carriers have had the power to gather the data they need to improve their networks at the infrastructure level (towers record MEIDs / EIDs / IMEIs already and this data would be easier to collect there) for years, and they already do use that to "improve" their networks.
Not to spout conspiracy theories everywhere here, but have you /seen/ the FCC press release about the ATT / T-Mobile merger and how badly ATT misrepresented facts? http://www.theverge.com/2011/11/30/2599466/fcc-report-att-pr... give this a read and then honestly tell me you think that carriers have all the best intentions.
Companies are supposed to make profits for shareholders, not protect your privacy or be nice to you. If they can make money by selling your personal data, they will and they're probably doing just that right now.
A handful of comments are saying that is ok because CarrierIQ is probably not sending all data (probably not in Europe, but probably they do in Saudi Arabia). This is disturbing because people making these kind of comments are entrepreneurs and in general great people. It seems like we are loosing our moral compas in Silly Valley. Fuck. Please please don't do things like this.
I just checked on my Motorola Atrix. I didn't see any CarrierIQ process, but the Blur framework is logging tons of stuff on ADB, such as all key inputs for the autocompletion software or every swipe movement on the home screen, but no https query appear to be logged at first glance. "Search Intent" terms on the other hand are logged. I never really trusted Blur because until the latest few versions of the ADT the LogCat console was messed up with debug messages from EON & Blur and it was a pain to keep it somewhat static and readable for my own devs, but these couple reports on keylogging frameworks make me look twice at my own phone now.
I'd like to run wireshark to check out what's really going out of my phone when I'm on the wifi - I'm a bit of a novice in that area (network monitoring), does anyone have any pointers of things to look for?
I think in this instance the application Charles would be more helpful than Wireshark. See the below article for how someone analyzed wifi traffic from iPad:
Thanks for the useful link. Now to enable proxy settings on the Atrix...
Alright. So for now I don't see much "phone-home trouble" but I'm far from the security expert around here. There are a few http queries (both GET and POST) made using some plain text OAUTH tokens to the MotoBLUR servers, but as far as I could notice nothing was really sending much information. Then again, the first thing you do when you launch blur for the first time is giving it your twitter/facebook/gmail account login&passwords, so... I'll get what I deserve here :P
The only "tracking/keylogging" queries I could find were done to data.flurry.com, and were only tracking (in plain text) my inputs on the Winamp App, so I call it fair play.
I'm a bit relieved here, thanks again for the tip with Charles. Let's hope someone with a better expertise than me will definitely rule Motorola out of that CarrierIQ logging thing, but so far, so good.
This guy needs prison time for lies like these - or at least hauled before congress:
Carrier IQ VP of Marketing Andrew Coward rejected claims the
software posed a privacy threat because it never captured key presses.
“Our technology is not real time,” he said at the time. "It's not constantly reporting back.
It's gathering information up and is usually transmitted in small doses.”
Coward say[s] that Carrier IQ was a diagnostic tool designed to give network carriers and device manufacturers
detailed information about the causes of dropped calls and other performance issues.
(1) That a vector is there for an untrusted third party to record and report all keystrokes
(2) It was put there at the insistence of the carriers, and
(3) That there is no way for a user to turn it off without voiding their warranty.
edit:
(4) This has serious implications for the trustworthiness of Android-based platforms as we attempt to move towards using NFC for financial transactions. Who in their right mind would trust Android (or any smartphone, really) as a debit card after this?
JwanToo, jgrahamc and tptacek are questioning point 1. That is, they're pointing out reasons why it may not be a vector. We don't have enough information to know.
If you're worried about Carrier IQ intercepting SMS messages. Don't be. The carriers have been doing this for a number of years and even share them with government agencies:
I'm not a lawyer, but unless there is some fine print in the notifications sent to subscribers, it is quite possible that they have broken the laws regarding the interception of communication. This sounds a lot like what killed phorm in the US.
Is there any evidence that any of this is uploaded to a carrier or app maker? Can any app developer access this log from their app? It seemed essentially that the debug logs just kept a super verbose log for debugging.
I used to think I better avoid installing a custom ROM in my phone because it might contain software exactly like this one. This really upsets me. Time to check CyanogenMod out.
The usual suspects are almost certainly going to file a class-action lawsuit or two over this, but it won't be 'massive' since this isn't a clear and easy win. (The hardest part about this type of suit is showing real, concrete harm to actual people - and not just hypothetical potential harm. So Carrier IQ knows you play Angry Birds - so what? How'd that demonstrably hurt you?)
No, instead the lawyers responsible for offering the class action will be willing to settle for a) a rather nice profit for them, b) a pittance for the handful of individuals they round up to be plaintiffs, and c) some symbolic genuflecting in the direction of privacy, maybe in the form of a charitable donation to a non-profit.
The sum total cost of a) through c) will be carefully calculated - high, but not too high, or Carrier IQ (and their clients, who will also get sued) will decide to fight back and possibly win. Certainly nothing infomerical-worthy - that's reserved for cases where winning is pretty much guaranteed.
Since their business model is based around selling data collected without user knowledge/consent, I feel like digging into their financial would reveal a pretty strong case against them.
After looking at the screenshots of the carrier-side it seemed to me that the Carrier IQ system allows much more interaction/control from the carrier side. Pending patent applications sometimes can tell you a lot about where a company is heading.
Here are a couple of quotes from Carrier IQ's pending U.S. 20090207749 USER-INITIATED REPORTING OF MOBILE COMMUNICATION SYSTEM ERRORS:
"...This configuration enables the system 200 to dynamically generate and download to a population of wireless devices rule-based data collection profiles. Data collection profiles may be generated manually by a network administrator, a software developer or other personnel involved in the operation of the network (hereinafter referred to as "network administrators"), created offline as a portion of a data analysis solution, or automatically generated based on network parameters or other events. Profiles define what information is to be collected on the devices in response to which conditions and events, as well as the conditions and events that cause the device to upload the collected information.
[0038] Conditions or events include any occurrence in the network or on the device that the device can sense, such as a call dropping or a user pressing a button on the device. Conditions and events also include the passage of time, or a request from a network administrator that the device report information back to the server. Conditions and events which cause a device to collect information or upload the collected information may generally be referred to as "triggers." "
and:
"[0080] In the exemplary embodiment, triggers may be included in the data collection directives of a data collection profile, and their inclusion causes the client to initiate, abort, and terminate data collection activity as appropriate when the associated trigger condition is invoked by the wireless device 400. A trigger invocation that matches the initiating trigger causes data collection activity to begin. A match of the terminating trigger causes the data collection activity to end, and a metrics package is then prepared for uploading. An abort trigger causes data collection activity to cease, and a metrics package is not prepared or is not uploaded. In the example used earlier, launching an application caused the client to be invoked with an "application launched" trigger event, which is matched against triggers in downloaded profiles and causes data collection activity to begin on a user's device. The user's entering of a particular key sequence, pressing of a dedicated button, or selection of a particular menu option while the application is running would cause another trigger to be activated, and the SQC would match the event to a terminating trigger in the profile, cause data collection to stop and a metrics package to be prepared and uploaded. As can be seen, the inclusion of a trigger in a profile effectively selects the condition under which a specific action associated with that profile is to be executed. The trigger is not strictly within the profile, rather it associates specific profile actions (start, stop, abort) with a specific event on the device. "
And the claims from their pending "USING MOBILE DEVICE TO CREATE ACTIVITY RECORD" application No. 20090210516 is quite interesting to browse:
1. In a communication system, a method for creating an activity record, the method comprising: recording data at a device, the data including one or more events and event-related data that describe activities of a user; uploading the data to a server, wherein the server organizes the data based the event related data; and generating an activity record using the data that can be presented to a user, wherein the activity record represents at least a partial log of the activities of the user.
2. The method of claim 1, wherein event-related data comprise one or more of: a time an event occurs; a date the event occurs; a location of the device when the event occurs; a filename of an event object associated with the event; a mobile device number (MDN); and a contact name.
3. The method of claim 2, wherein generating an activity record using the data comprises creating an entry for each of the one or more events describing where and when an event occurred.
4. The method of claim 3, further comprising presenting the activity record on a website, wherein the website is accessed by the device or using another device.
5. The method of claim 3, wherein the one or more events comprise at least one of: making or receiving a phone call; sending or receiving a message; taking a photograph; recording a device location; receiving and playing a broadcast; connecting to an 802.11 or Bluetooth access point; and using a device application.
6. The method of claim 5, wherein the location of the mobile device is recorded periodically and independently of other events. ....
The issue is not how many bit or bytes this is sending. The fact that you have never given permission to this and you can't switch it off tells me something about Google and their priorities. Steve Jobs fought hard to prevent any carrier pre-install apps on the iPhone. No such a leadership from google!
Before reading, I guessed that "millions of phones" meant millions of Android phones. Because if this was happening on iPhones, that would merit mention in the headline. Funny how that works.
FTA: "Eckhart said he chose the HTC phone purely for demonstration purposes. Blackberrys, other Android-powered handsets, and smartphones from Nokia contain the same snooping software, he claims."
It's not "Android" phones alone, it seems like everything but iPhones and Windows phones. Thus, the title is accurate.
I see just as many "Android phones do this naughtiness" headlines as I see "iPhones allow these shenanigans" headlines. The fact that is isn't mentioned in the header lends more credence to the author (and article).
> It says iphones and blackberrys are equally affected.
No, it says Blackberries and Nokia phones are equally affected. The application requires 1. carrier-custom ROMs and 2. very low level access to the OS. Both are things iOS does not provide, Apple does not allow carriers to tinker with iOS images and does not allow low-level OS access (unless you jailbreak).
Do you have the slightest evidence for your claim?
> It's just more difficult to see inside a safe.
Anything can be seen on a jailbroken iphone.
> Remember the js code that showed all the places the phone have been using a mere phone backup data?
This was (explained as) a location cache the developer forgot to clean (most phones will cache the last few locations so it does not have to boot the location circuitry if an application only needing a very rough location estimate needs a fix) which mistakenly existed in a backuped location (note that unless users sent them, those backups never left their machine). And the issue was fixed in the next update (both the backuping and the too-greedy cache).
You made me wonder- is jailbreaking an iPhone the equivalent of rooting an Android phone? It's just about becoming the root user in the Unix system right? I've never played with either.
> getting root access is NOT the same as looking at source code.
Er... duh? That doesn't matter, the kind of issues we're talking about here is usually discovered via blackbox testing (not whitebox), by tracing syscalls or core API calls (no need for source access for that) as well as network communications (no need for sources either).
> loggers could pretty much do nothing if device is not stock.
And the vast majority of devices are stock.
> what else could be have 'too greedy logging' 'by mistake'? you and me will never know.
Logging has to go somewhere, logging that goes nowhere is pointless. As soon as logging goes somewhere, it can be seen and traced.
Is it unreasonable for a consumer to want complete control over a device from the moment she powers on?
Is there a certain level beneath which it is not reasonable to give consumers (optional) access? (Should consumers be prevented from "rooting" devices? Should we allow companies to maintain control over devices, e.g. having them "phone home", after they sell them?)
If yes, why?
Maybe a rootkit should just be viewed just like the crapware that comes pre-installed on a PC. Sure it will help some company and perhaps the consumer herself, if she decides to use it. But it's _optional_.
Maybe they could give consumers an easy way to opt-out.
If you're still inclined to give them the benefit of the doubt, just read the CarrierIQ website. Their ENTIRE BUSINESS MODEL is based on collecting data about mobile phone users!! Here's a choice excerptI found on their website after browsing their site for 30 seconds[1]:
Carrier IQ's Mobile Service Intelligence Platform (MSIP)...receives raw data (known as Metrics) from phones and converts them into reliable, repeatable Measures which feed into analytic applications.
Or you can read this comment from a discussion last week where a CarrierIQ recruiter told an HN member that they collect 10s of gigabytes of data PER DAY.[2]
These guys are indeed collecting RAW DATA from actions on your phone. There are tremendous opportunities for abuse here, should CarrierIQ decide to do so. CarrierIQ in blatant violation of privacy norms and could do enormous damage to national security of many countries, conduct corporate espionage, or simply violate the citizens' expectation of privacy when using their phone.
This is dangerous and should be stopped immediately.
1. http://www.carrieriq.com/overview/mobileservice/index.htm 2. http://news.ycombinator.com/item?id=3264264